b'            EVALUATION REPORT\n\n\n                         Independent Evaluation of\n                        NRC\xe2\x80\x99s Implementation of the\n                  Federal Information Security Management\n                           Act for Fiscal Year 2008\n\n                  OIG-08-A-18        September 26, 2008\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                UNITED STATES\n                        NUCLEAR REGULATORY COMMISSION\n                                 WASHINGTON, D.C. 20555-0001\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n                                                  September 26, 2008\n\n\nMEMORANDUM TO:             R. William Borchardt\n                           Executive Director for Operations\n\n\n\nFROM:                      Stephen D. Dingbaum /RA/\n                           Assistant Inspector General for Audits\n\n\nSUBJECT:                   INDEPENDENT EVALUATION OF NRC\xe2\x80\x99S\n                           IMPLEMENTATION OF THE FEDERAL INFORMATION\n                           SECURITY MANAGEMENT ACT FOR FISCAL YEAR 2008\n                           (OIG-08-A-18)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) audit report titled, Independent\nEvaluation of NRC\xe2\x80\x99s Implementation of the Federal Information Security Management\nAct For Fiscal Year 2008.\n\nThe report presents the results of the subject audit. Agency comments provided at the\nSeptember 16, 2008, exit conference have been incorporated, as appropriate, into this\nreport.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG follow up as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915 or Beth Serepca, Team Leader, Security and Information Management Audit\nTeam, at 415-5911.\n\nAttachment: As stated\n\x0cElectronic Distribution\n\nEdward M. Hackett, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste and Materials\nE. Roy Hawkens, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJim E. Dyer, Chief Financial Officer\nMargaret M. Doane, Director, Office of International Programs\nRebecca L. Schmidt, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nBruce S. Mallett, Deputy Executive Director for Reactor\n and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Waste, Research,\n State, Tribal, and Compliance Programs, OEDO\nDarren B. Ash, Deputy Executive Director for Corporate Management\n and Chief Information Officer, OEDO\nVonna L. Ordaz, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nCynthia A. Carpenter, Director, Office of Enforcement\nCharles L. Miller, Director, Office of Federal and State Materials\n  and Environmental Management Programs\nGuy P. Caputo, Director, Office of Investigations\nThomas M. Boyce, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nMichael R. Johnson, Director, Office of New Reactors\nMichael F. Weber, Director, Office of Nuclear Material Safety and Safeguards\nEric J. Leeds, Director, Office of Nuclear Reactor Regulation\nBrian W. Sheron, Director, Office of Nuclear Regulatory Research\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nLuis A. Reyes, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nElmo E. Collins, Jr., Regional Administrator, Region IV\n\x0c                           Independent Evaluation of\n                          NRC\xe2\x80\x99s Implementation of the\n                 Federal Information Security Management Act\n                              for Fiscal Year 2008\n\n\n\n\n                                Contract Number: GS-00F-0001N\n                                 Delivery Order Number: 20291\n\n                                                 September 19, 2008\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c[Page intentionally left blank]\n\x0c                                                                                         Independent Evaluation of\n                                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n           On December 17, 2002, the President signed the E-Government Act of 2002, which\n           included the Federal Information Security Management Act (FISMA) of 2002. FISMA\n           outlines the information security management requirements for agencies, which include\n           an annual independent evaluation of an agency\xe2\x80\x99s information security program1 and\n           practices to determine their effectiveness. This evaluation must include testing the\n           effectiveness of information security policies, procedures, and practices for a\n           representative subset of the agency\xe2\x80\x99s information systems. FISMA requires the annual\n           evaluation to be performed by the agency\xe2\x80\x99s Inspector General (IG) or by an independent\n           external auditor.\n\n           Office of Management and Budget (OMB) memorandum M-08-21, FY 2008 Reporting\n           Instructions for the Federal Information Security Management Act and Agency Privacy\n           Management, dated July 14, 2008, requires the agency\xe2\x80\x99s IG to complete the OMB\n           FISMA Reporting Template for IGs (referred to by OMB as Section C). That template is\n           submitted to OMB as part of the agency\xe2\x80\x99s annual FISMA report and is included as\n           Appendix B to this report.\n\n           This report reflects the status of the agency\xe2\x80\x99s information system security program as of\n           the completion of fieldwork on August 31, 2008. Any information received from the\n           agency subsequent to the completion of fieldwork was incorporated when possible.\n\nPURPOSE\n\n           The objective of this review was to perform an independent evaluation of the Nuclear\n           Regulatory Commission\xe2\x80\x99s (NRC) implementation of FISMA for fiscal year (FY) 2008.\n\nRESULTS IN BRIEF\n\n           Program Enhancements and Improvements\n\n           Over the past 6 years, NRC has made improvements to its information system security\n           program and continues to make progress in implementing the recommendations resulting\n           from previous FISMA evaluations. In order to meet FISMA requirements as they relate\n           to information technology (IT) security, the Commission, on November 14, 2007,\n           approved the establishment of the Computer Security Office (CSO). The new office\n           reports to the Deputy Executive Director for Information Services (DEDIS) and Chief\n           Information Officer (CIO) and is headed by the Chief Information Security Officer\n           (CISO). The CISO plans, directs, and oversees the implementation of a comprehensive,\n           coordinated, integrated, and cost-effective NRC IT security program, consistent with\n\n\n1\n    For the purposes of FISMA, the agency uses the term \xe2\x80\x9cinformation system security program.\xe2\x80\x9d\n\n\n                                                          i\n\x0c                                                                                            Independent Evaluation of\n                                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n           applicable laws; regulations; Commission, Executive Director for Operations, and CIO\n           direction; management initiatives; and policies.\n\n           Two significant deficiencies were identified in the FY 2007 FISMA independent\n           evaluation. Both of these significant deficiencies have been addressed in FY 2008.\n\n               \xe2\x80\xa2    In FY 2007, only 2 of the 30 operational NRC information systems had a current\n                    certification and accreditation, and only 4 of the 11 systems used or operated by a\n                    contractor or other organization on behalf of the agency had a current certification\n                    and accreditation. As of the completion of fieldwork for FY 2008, 14 of the 28\n                    most risk-significant operational NRC information systems had a current\n                    certification and accreditation, and 8 of the 11 systems used or operated by a\n                    contractor or other organization on behalf of the agency had a current certification\n                    and accreditation. While only 50 percent of the operational NRC information\n                    systems have a current certification and accreditation, Carson Associates no\n                    longer considers this a significant deficiency due to the significant progress the\n                    agency has made during the past fiscal year. The FY 2007 FISMA independent\n                    evaluation found that in the past 2 years the agency had completed certification\n                    and accreditation of only two NRC systems and one contractor system for which\n                    NRC has direct oversight. In FY 2008, the agency completed certification and\n                    accreditation of 12 NRC systems and 1 contractor system for which NRC has\n                    direct oversight \xe2\x80\x93 more than four times the number completed in the previous 2\n                    fiscal years.2 The certification and accreditation of two systems is nearing\n                    completion, and the agency has stated in its fourth quarter FY 2008 FISMA\n                    submission to OMB that it plans to complete certification and accreditation of the\n                    remaining systems in FY 2009.\n               \xe2\x80\xa2    In FY 2007, annual contingency plan testing was still not being performed for all\n                    systems. As of the completion of fieldwork for FY 2008, the agency had\n                    completed annual contingency plan testing for all agency systems and all\n                    contractor systems for which NRC has direct oversight.\n\n           In addition to making significant progress on the two significant deficiencies identified in\n           FY 2007, the agency has accomplished the following since the FY 2007 FISMA\n           independent evaluation:\n\n               \xe2\x80\xa2    All major applications and general support systems have been categorized in\n                    accordance with Federal Information Processing Standards (FIPS) Publication\n                    199, Standards for Security Categorization of Federal Information and\n                    Information Systems.\n               \xe2\x80\xa2    The agency completed annual security control testing for all agency systems and\n                    for all contractor systems for which NRC has direct oversight.\n\n\n\n2\n    One system was issued a limited authorization to operate that expires after 1 year. The agency is currently making\n    the corrections specified by the designated approving authority and is recertifying and re-accrediting the system.\n\n\n                                                            ii\n\x0c                                                                                       Independent Evaluation of\n                                                                        NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n               \xe2\x80\xa2   The agency completed or updated security plans for 14 of the agency\xe2\x80\x99s 28\n                   operational systems and for all contractor systems for which NRC has direct\n                   oversight.\n               \xe2\x80\xa2   The agency has made progress in implementing the provisions of OMB\n                   Memorandum M-07-16, Safeguarding Against and Responding to the Breach of\n                   Personally Identifiable Information (PII). For example, on September 19, 2007,\n                   NRC issued the NRC Personally Identifiable Information Breach Policy and the\n                   NRC Plan to Eliminate the Unnecessary Collection and Use of Social Security\n                   Numbers. Section 3.7.2 provides additional details on the agency\xe2\x80\x99s progress in\n                   implementing the provisions of the OMB memorandum.\n\n           Program Weaknesses\n\n           While the agency has made significant improvements in its information system security\n           program and has made progress in implementing the recommendations resulting from\n           previous FISMA evaluations, the independent evaluation identified four information\n           system security program weaknesses. Two are repeat findings from the FY 2007\n           independent evaluation, and two are new.\n\n               \xe2\x80\xa2   The NRC inventory does not identify interfaces between systems (new finding).\n               \xe2\x80\xa2   The quality of the agency\xe2\x80\x99s plans of action and milestones (POA&M) needs\n                   improvement (repeat finding).\n               \xe2\x80\xa2   Not all Windows XP and Vista systems3 have implemented Federal Desktop Core\n                   Configuration (FDCC) security settings (new finding).\n               \xe2\x80\xa2   The agency lacks procedures for ensuring employees with significant IT security\n                   responsibilities receive security training (repeat finding).\n\nRECOMMENDATIONS\n\n           This report makes recommendations to the Executive Director for Operations to improve\n           NRC\xe2\x80\x99s information system security program and implementation of FISMA.\n           Recommendations are made in this report for the new findings only. Recommendations\n           for the repeat findings were made in prior reports and completion of those findings is\n           being tracked through the Office of the Inspector General (OIG) followup process. A\n           consolidated list of recommendations appears on page 33 of this report.\n\nAGENCY COMMENTS\n\n           At an exit conference on September 16, 2008, agency officials agreed with the report\xe2\x80\x99s\n           findings and recommendations and provided 2 editorial changes, which the OIG\n           incorporated as appropriate. The agency opted not to submit formal comments.\n\n\n\n\n3\n    Windows XP and Vista are operating systems produced by Microsoft.\n\n\n                                                        iii\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                                        Independent Evaluation of\n                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nBPIAD               Business Process Improvement and Applications Division\nCarson Associates   Richard S. Carson and Associates, Inc.\nCIO                 Chief Information Officer\nCIS                 Center for Internet Security\nCISO                Chief Information Security Officer\nCSIRT               Computer Security Incident Response Team\nCSO                 Computer Security Office\nDEDIS               Deputy Executive Director for Information Services\nDISA                Defense Information Systems Agency\nFDCC                Federal Desktop Core Configuration\nFIPS                Federal Information Processing Standard\nFISMA               Federal Information Security Management Act\nFY                  Fiscal Year\nIATO                Interim Authorization to Operate\nIG                  Inspector General\nIRSD                Information and Records Services Division\nISS                 Information System Security\nIT                  Information Technology\nMD                  Management Directive\nNIST                National Institute of Standards and Technology\nNRC                 Nuclear Regulatory Commission\nNSICD               NRC System Information Control Database\nOIG                 Office of the Inspector General\nOIS                 Office of Information Services\nOMB                 Office of Management and Budget\nP2P                 Peer-to-Peer\nP3P                 Platform for Privacy Preferences Project\nPIA                 Privacy Impact Assessment\nPII                 Personally Identifiable Information\nPOA&M               Plan of Action and Milestones\nSP                  Special Publication\nUPI                 Unique Project Identifier\nUS-CERT             United States Computer Emergency Readiness Team\n\n\n\n\n                                           v\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              vi\n\x0c                                                                                                           Independent Evaluation of\n                                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\nAbbreviations and Acronyms ...................................................................................... v\n\n1 Background .............................................................................................................. 1\n2 Purpose .................................................................................................................... 1\n3 Findings.................................................................................................................... 1\n  3.1 FISMA Systems Inventory (Question 1) ........................................................ 4\n            All Major Applications and General Support Systems Have Been Categorized in Accordance\n                           With FIPS 199..................................................................................................... 5\n            Security Categorizations Reflect the Information Types That Reside on the Systems................ 5\n    3.2     FISMA Systems Inventory (Question 2) ........................................................ 6\n            Annual Contingency Plan Testing Was Completed for All Agency Systems and All Contractor\n                          Systems for Which NRC Has Direct Oversight .................................................. 7\n    3.3     Evaluation of Agency Oversight of Contractor Systems (Question 3a) ..... 8\n            Agency Oversight of Contractor Systems Meets FISMA Requirements..................................... 8\n            Agency Continues To Have Difficulty in Obtaining Documentation That Demonstrates\n                         e-Government Systems Meet FISMA Requirements.......................................... 9\n    3.4     Evaluation of Quality of Agency System Inventory (Questions 3b-3f) ..... 10\n            FINDING A \xe2\x80\x93 The NRC Inventory Does Not Identify Interfaces Between Systems (New\n                        Finding) ............................................................................................................. 11\n    3.5     Evaluation of Agency POA&M Process (Question 4)................................. 11\n            FINDING B \xe2\x80\x93 The Quality of the Agency\xe2\x80\x99s POA&Ms Still Needs Improvement (Repeat\n                        Finding) ............................................................................................................. 13\n            NRC Has Made Progress in Correcting Weaknesses Reported on Its POA&Ms ...................... 14\n    3.6     IG Assessment of the Certification and Accreditation Process (Question\n            5) ..................................................................................................................... 15\n            NRC Has Made Significant Progress in Certifying and Accrediting Its Systems...................... 18\n            NRC Has Completed or Updated Security Plans for 14 of the Agency\xe2\x80\x99s 28 Operational\n            Systems and for All Contractor Systems for Which NRC Has Direct Oversight ...................... 18\n            The Agency\xe2\x80\x99s Certification and Accreditation Process and the Documents Completed Using\n                          the New Procedures are Consistent with NIST Guidance................................. 18\n            NRC Has Completed Annual Security Control Testing for All Agency Systems and for All\n                          Contractor Systems for Which NRC Has Direct Oversight .............................. 20\n    3.7     IG Assessment of Agency Privacy Program and Privacy Impact\n            Assessment (PIA) Process (Questions 6-7) ................................................ 21\n            3.7.1      Privacy Impact Assessment Process .......................................................... 21\n            3.7.2      Progress in Implementing OMB M-07-16 ..................................................... 23\n    3.8     Configuration Management (Question 8) .................................................... 25\n            3.8.1      Configuration Policy and Common Security Configurations .................... 25\n            3.8.2      Federal Desktop Core Configuration (FDCC).............................................. 26\n\n\n                                                                     vii\n\x0c                                                                                                     Independent Evaluation of\n                                                                                      NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n            FINDING C \xe2\x80\x93 Not All Windows XP and Vista Systems Have Implemented FDCC Security\n                        Settings (New Finding) ..................................................................................... 27\n    3.9 Incident Reporting (Question 9)................................................................... 29\n    3.10 Security Awareness Training (Question 10) ............................................... 29\n            FINDING D \xe2\x80\x93 Agency Still Developing Procedures for Ensuring Employees With Significant\n                        IT Security Responsibilities Receive Security Training (Repeat Finding) ....... 30\n  3.11 Collaborative Web Technologies and Peer-to-Peer File Sharing\n       (Question 11) ................................................................................................. 31\n  3.12 E-Authentication Risk Assessments (Question 12) ................................... 31\n4 Consolidated List of Recommendations ............................................................. 33\n5 Agency Comments ................................................................................................ 35\n\n\nAppendices\n\n    Appendix A. SCOPE AND METHODOLOGY.................................................................... 37\n    Appendix B. FY 2008 OMB FISMA REPORTING TEMPLATE FOR IGs ......................... 39\n\n\n\nList of Tables\n\n    Table 3-1. Total Number of Agency and Contractor Systems and Number\n               Reviewed by FIPS 199 Risk Impact Level ........................................................4\n    Table 3-2. Number and Percentage of Systems Reviewed That Are Certified and\n               Accredited, for Which Security Controls Have Been Tested and\n               Reviewed in the Past Year, and for Which Contingency Plans Have\n               Been Tested in Accordance With Policy by FIPS 199 Risk Impact Level .....6\n\n\n\n\n                                                                 viii\n\x0c                                                                                        Independent Evaluation of\n                                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n1          Background\n\nOn December 17, 2002, the President signed the E-Government Act of 2002, which included\nFISMA.4 FISMA outlines the information security management requirements for agencies,\nwhich include an annual independent evaluation of an agency\xe2\x80\x99s information security program\nand practices to determine their effectiveness. This evaluation must include testing the\neffectiveness of information security policies, procedures, and practices for a representative\nsubset of the agency\xe2\x80\x99s information systems. FISMA requires the annual evaluation to be\nperformed by the agency\xe2\x80\x99s IG or by an independent external auditor.\n\nOMB memorandum M-08-21 requires the agency\xe2\x80\x99s IG to complete the OMB FISMA Reporting\nTemplate for IGs. That template is submitted to OMB as part of the agency\xe2\x80\x99s annual FISMA\nreport.\n\nRichard S. Carson and Associates, Inc. (Carson Associates), performed an independent\nevaluation of NRC\xe2\x80\x99s implementation of FISMA for FY 2008. This report presents the results of\nthat independent evaluation. Carson Associates also prepared the OMB FISMA Reporting\nTemplate for IGs for inclusion in the agency\xe2\x80\x99s annual FISMA report. The OMB FISMA\nReporting Template for IGs is included as Appendix B to this report.\n\nThis report reflects the status of the agency\xe2\x80\x99s information system security program as of the\ncompletion of fieldwork on August 31, 2008. Any information received from the agency\nsubsequent to the completion of fieldwork was incorporated when possible.\n\n2          Purpose\n\nThe objective of this review was to perform an independent evaluation of NRC\xe2\x80\x99s implementation\nof FISMA for FY 2008. Appendix A contains a description of the evaluation scope and\nmethodology.\n\n3          Findings\n\nOver the past 6 years, NRC has made improvements to its information system security program\nand continues to make progress in implementing the recommendations resulting from previous\nFISMA evaluations. In order to meet FISMA requirements as they relate to IT security, the\nCommission, on November 14, 2007, approved the establishment of the CSO. The new office\nreports to the DEDIS and CIO and is headed by the CISO. The CISO plans, directs, and\noversees the implementation of a comprehensive, coordinated, integrated, and cost-effective\nNRC IT security program, consistent with applicable laws; regulations; Commission, Executive\nDirector for Operations, and CIO direction; management initiatives; and policies.\n\nThe CSO was established to serve as the focal point for IT security and to provide vision,\nleadership, and oversight in developing, promulgating, and implementing an end-to-end NRC IT\n\n4\n    The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the E-\n    Government Act of 2002 (Public Law 107-347) and replaces the Government Information Security Reform Act,\n    which expired in November 2002.\n\n\n                                                         1\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nsecurity strategy. The CSO is divided into three core areas: Cyber Situational Awareness,\nAnalysis, and Response Team; FISMA Compliance and Oversight Team; and Policy, Standards,\nand Training Team. The CSO provides IT security oversight responsibility, coordinates the\noverall agency IT security program, develops policies and procedures, and provides assistance\nwith security reviews, assessments, and plans to those offices requiring it. The organizational\nchanges became effective November 25, 2007. The DEDIS/CIO acted as the CISO until that\nposition was filled effective March 16, 2008.\n\nTwo significant deficiencies were identified in the FY 2007 FISMA independent evaluation.\nBoth of these significant deficiencies have been addressed in FY 2008.\n\n   \xe2\x80\xa2   In FY 2007, only 2 of the 30 operational NRC information systems had a current\n       certification and accreditation, and only 4 of the 11 systems used or operated by a\n       contractor or other organization on behalf of the agency had a current certification and\n       accreditation. As of the completion of fieldwork for FY 2008, 14 of the 28 most risk-\n       significant operational NRC information systems had a current certification and\n       accreditation, and 8 of the 11 systems used or operated by a contractor or other\n       organization on behalf of the agency had a current certification and accreditation. While\n       only 50 percent of the operational NRC information systems have a current certification\n       and accreditation, Carson Associates no longer considers this a significant deficiency due\n       to the significant progress the agency has made during the past fiscal year. The FY 2007\n       FISMA independent evaluation found that in the past 2 years the agency had completed\n       certification and accreditation of only two NRC systems and one contractor system for\n       which NRC has direct oversight. In FY 2008, the agency completed certification and\n       accreditation of 12 NRC systems and 1 contractor system for which NRC has direct\n       oversight \xe2\x80\x93 more than four times the number completed in the previous 2 fiscal years.\n       The certification and accreditation of two systems is nearing completion, and the agency\n       has stated in its fourth quarter FY 2008 FISMA submission to OMB that it plans to\n       complete certification and accreditation of the remaining systems in FY 2009.\n   \xe2\x80\xa2   In FY 2007, annual contingency plan testing was still not being performed for all\n       systems. As of the completion of fieldwork for FY 2008, the agency had completed\n       annual contingency plan testing for all agency systems and all contractor systems for\n       which NRC has direct oversight.\n\nIn addition to making significant progress on the two significant deficiencies identified in FY\n2007, the agency has also accomplished the following since the FY 2007 FISMA independent\nevaluation:\n\n   \xe2\x80\xa2   All major applications and general support systems have been categorized in accordance\n       with FIPS 199.\n   \xe2\x80\xa2   The agency completed annual security control testing for all agency systems and for all\n       contractor systems for which NRC has direct oversight.\n   \xe2\x80\xa2   The agency completed or updated security plans for 14 of the agency\xe2\x80\x99s 28 operational\n       systems and for all contractor systems for which NRC has direct oversight.\n\n\n\n\n                                                2\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n   \xe2\x80\xa2   The agency has made progress in implementing the provisions of OMB Memorandum\n       M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable\n       Information (PII). For example, on September 19, 2007, NRC issued the NRC\n       Personally Identifiable Information Breach Policy and the NRC Plan to Eliminate the\n       Unnecessary Collection and Use of Social Security Numbers. Section 3.7.2 provides\n       additional details on the agency\xe2\x80\x99s progress in implementing the provisions of the OMB\n       memorandum.\n\nWhile the agency has made significant improvements in its information system security program\nand has made progress in implementing the recommendations resulting from previous FISMA\nevaluations, the independent evaluation identified four information system security program\nweaknesses. Two are repeat findings from the FY 2007 independent evaluation, and two are\nnew.\n\n   \xe2\x80\xa2   The NRC inventory does not identify interfaces between systems (new finding).\n   \xe2\x80\xa2   The quality of the agency\xe2\x80\x99s POA&Ms needs improvement (repeat finding).\n   \xe2\x80\xa2   Not all Windows XP and Vista systems have implemented FDCC security settings (new\n       finding).\n   \xe2\x80\xa2   The agency lacks procedures for ensuring employees with significant IT security\n       responsibilities receive security training (repeat finding).\n\nRecommendations are made in this report for the new findings only. Recommendations for the\nrepeat findings were made in prior reports, and completion of those findings is being tracked\nthrough the OIG followup process.\n\nThe following sections present the detailed findings from the independent evaluation and are\norganized based on the OMB FISMA Reporting Template for IGs, which can be found in\nAppendix B of this report. Each major section corresponds to a question or set of questions from\nthe template. Findings are presented in the sections to which they are relevant.\n\n\n\n\n                                               3\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n3.1       FISMA Systems Inventory (Question 1)\n\n                                 OMB Requirement                                                 OIG Response\n    1. As required in FISMA, the IG shall evaluate a representative subset                 See Table 3-1 below.\n    of systems used or operated by an agency or by a contractor of an\n    agency or other organization on behalf of an agency. Identify the\n    number of agency and contractor information systems, and the number\n    reviewed, by component/bureau and FIPS 199 system impact level\n    (high, moderate, low, or not categorized).\n\n                    Table 3-1. Total Number of Agency and Contractor Systems\n                                       and Number Reviewed\n                                   by FIPS 199 Risk Impact Level\n                                                                                          Total Number of\n                                                                                          Systems (Agency\n                               Agency Systems              Contractor Systems\n                                                                                           and Contractor\n                                                                                             Systems)\n                                                                                                        Total\n        FIPS 199 Risk                      Number                         Number         Total\n                             Number                        Number                                      Number\n        Impact Level                      Reviewed                       Reviewed       Number\n                                                                                                      Reviewed\n            High                11             1               1              0             12             1\n          Moderate              17             2               9              0             26             2\n            Low                  0             0               1              1              1             1\n      Not Categorized            0             0               0              0              0             0\n            Total               28             3              11              1             39             4\n\nNRC has a total of 28 operational systems that fall under FISMA reporting requirements.5 Of\nthe 28, 15 are general support systems,6 and 13 are major applications.7 As required by FISMA,\nCarson Associates selected a subset of NRC systems for evaluation during the FY 2008 FISMA\nindependent evaluation.\n\nNRC has a total of 11 systems operated by a contractor or other organization on behalf of the\nagency (9 major applications and 2 general support systems). Of the 11, 8 are operated by other\nFederal agencies, 1 is operated by a federally funded research and development center, and 2 are\noperated by private contractors. NRC has direct oversight of three of these systems. Oversight\nof the remaining eight systems is the responsibility of the Federal agencies operating the\nsystems. Therefore, the IGs of those agencies are responsible for evaluating those systems.\n\n5\n  NRC also has a number of major applications and general support systems currently in development. For FISMA\n  reporting purposes, only operational systems are considered.\n6\n  A general support system is an interconnected set of information resources under the same direct management\n  control that share common functionality. Typical general support systems are local and wide area networks,\n  servers, and data processing centers.\n7\n  A major application is a computerized information system or application that requires special attention to security\n  because of the risk and magnitude of harm that would result from the loss, misuse, or unauthorized access to or\n  modification of the information in the application.\n\n\n                                                          4\n\x0c                                                                                         Independent Evaluation of\n                                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nAs required by FISMA, Carson Associates selected for evaluation a subset of contractor systems\nfor which NRC has direct oversight during the FY 2008 FISMA independent evaluation.\n\nSecurity Categorization \xe2\x80\x93 Background\n\nFIPS 199 requires all Federal agencies to categorize their information systems as low-impact,\nmoderate-impact, or high-impact for the security objectives of confidentiality, integrity, and\navailability. The security categorization of an information system is conducted by first\ncategorizing all information types8 resident on the information system. The security category of\nan information type is established by determining the potential impact (i.e., low, moderate, high)\nfor each security objective (i.e., confidentiality, integrity, availability) associated with the\nparticular information type.\n\nThe security categorization of an information system must take into account the security\ncategories of all information types resident on the information system being categorized. For an\ninformation system, the potential impact values assigned to the respective security objectives are\nthe highest values (i.e., high-water mark) from among the security categories that have been\ndetermined for each information type resident on the information system.\n\nAll Major Applications and General Support Systems Have Been Categorized in\nAccordance With FIPS 199\n\nThe FY 2007 independent evaluation found that the majority of NRC major applications and\ngeneral support systems had not been categorized in accordance with FIPS 199. As of the\ncompletion of fieldwork, the agency has completed categorizations for all major applications and\ngeneral support systems, including those operated by a contractor or other organization on the\nbehalf of the agency. The agency completed security categorizations for 13 agency systems and\n6 contractor systems in FY 2008. The agency also updated the security categorization for one\ncontractor system in FY 2008.\n\nSecurity Categorizations Reflect the Information Types That Reside on the Systems\n\nThe FY 2007 independent evaluation also found that security categorizations for some systems\ndid not consistently reflect the information types that reside on the systems. The agency has\nstarted the process of reviewing and correcting security categorizations and has developed\nsecurity categorization review criteria as a supplement to the existing security categorization\nprocedures. To evaluate the agency\xe2\x80\x99s progress in resolving the problem, Carson Associates\nreviewed the security categorizations for three agency systems and two contractor systems. We\ncompared the information types enumerated in the security categorizations with the primary\ninformation types for those systems as identified in the agency\xe2\x80\x99s Exhibit 539 for FY 2007 and\n\n\n8\n  Information is categorized according to its information type. An information type is a specific category of\n  information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security\n  management) defined by an organization or, in some instances, by a specific law, Executive order, directive,\n  policy, or regulation.\n9\n  The Exhibit 53 is used by agencies to report their IT investment portfolio annually to OMB. The Exhibit 53\n  provides budget estimates for all IT investments and identifies those that are major investments.\n\n\n                                                         5\n\x0c                                                                                            Independent Evaluation of\n                                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nwith updated unique project identifiers (UPI)10 provided by the agency. Carson Associates found\nthat the security categorizations for four of the five systems reflect the primary business area,\nprimary line of business, and/or primary sub-function of those systems as indicated on the\nExhibit 53 or in the updated UPI.\n\n3.2         FISMA Systems Inventory (Question 2)\n\n                                    OMB Requirement                                              OIG Response\n 2. For the total number of systems reviewed by component/bureau and                        See Table 3-2 below.\n FIPS system impact level for Question 1, identify the number and\n percentage of systems which have: a current certification and\n accreditation, security controls tested and reviewed within the past\n year, and a contingency plan tested in accordance with policy.\n\n                   Table 3-2. Number and Percentage of Systems Reviewed\n                              That Are Certified and Accredited,\n       for Which Security Controls Have Been Tested and Reviewed in the Past Year, and\n           for Which Contingency Plans Have Been Tested in Accordance With Policy\n                                by FIPS 199 Risk Impact Level\n                                                                                         # Systems Reviewed\n                                                            # Systems Reviewed\n                                                                                              for Which\n                                # Systems Reviewed           for Which Security\n                                                                                          Contingency Plans\n                                  That Are Certified         Controls Have Been\n                                                                                         Have Been Tested in\n                                   and Accredited           Tested and Reviewed\n                                                                                           Accordance With\n                                                               in the Past Year\n                                                                                                Policy\n          FIPS 199 Risk          Total        Percent         Total        Percent        Total        Percent\n          Impact Level          Number        of Total       Number        of Total      Number        of Total\n               High                 1          100%             1           100%             1          100%\n            Moderate                2          100%             2           100%             2          100%\n               Low                  1          100%             1           100%             1          100%\n        Not Categorized             0          100%             0           100%             0          100%\n               Total                4          100%             4           100%             4          100%\n\nThis section reports on the number of agency and contractor systems that were reviewed that are\ncertified and accredited and for which security controls have been tested and reviewed in the past\nyear. Section 3.6 of this report discusses the assessment of the agency\xe2\x80\x99s certification and\naccreditation process in detail and includes the certification and accreditation status and the\nannual security control testing status of all agency and contractor systems.\n\n\n\n\n10\n      The UPI is a 17-digit line code used to uniquely identify IT investments on an Exhibit 53. Each investment\n     identified in an agency\xe2\x80\x99s portfolio must have a unique UPI.\n\n\n                                                            6\n\x0c                                                                                        Independent Evaluation of\n                                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nContingency Plan Testing \xe2\x80\x93 Background\n\nFISMA requires agencies to develop plans and procedures to ensure continuity of operations for\ninformation systems that support the operations and assets of the agency. National Institute of\nStandards and Technology (NIST) Special Publication (SP) 800-34, Contingency Planning\nGuide for Information Technology Systems, states that contingency plans should be tested at least\nannually and when significant changes are made to the information system, supported business\nprocess(es), or the contingency plan. Management Directive (MD) and Handbook 12.5, NRC\nAutomated Information Security Program, states that the NRC shall comply with the NIST\nguidance to include guidance related to the preparation of security documentation (such as\nsystem security plans, IT risk assessments, and IT contingency plans) and other applicable NIST\nautomated information security guidance for IT security processes, procedures, and testing. MD\n12.5 also states that IT contingency plans for major applications and general support systems\nshall be tested each year. A live test provides the best indication of the adequacy of a\ncontingency plan test. If a live test cannot be conducted due to operational constraints, a\nsimulated test may be conducted in lieu of the live test. NRC Information Systems Security\n(ISS) and Office of Information Services (OIS) procedures also require annual contingency plan\ntesting for all major applications and general support systems, including generating a\ncontingency plan test report.\n\nAnnual Contingency Plan Testing Was Completed for All Agency Systems and All\nContractor Systems for Which NRC Has Direct Oversight\n\nOn November 8, 2007, the CIO sent the agency a request for contingency plan schedules that\nincluded a requirement to complete contingency plan testing no later than June 30, 2008. The\nrequest also noted that if a system is owned by another agency, then the other agency is\nresponsible for the contingency plan testing; however, NRC must acquire a memorandum from\nthe other agency stating that it has completed its annual contingency plan test in accordance with\nFISMA. This memorandum must also be received by June 30, 2008.\n\nThe FY 2005, FY 2006, and FY 2007 FISMA independent evaluations found that annual\ncontingency plan testing was not being performed for all systems. The lack of annual\ncontingency plan testing was reported as a significant deficiency in the FY 2006 and FY 2007\nFISMA independent evaluation reports. In FY 2007, only 5 of the 30 operational NRC\ninformation systems and 2 of the 11 systems used or operated by a contractor or other\norganization on behalf of the agency had their contingency plans tested.\n\nAs of the completion of fieldwork for FY 2008, contingency plan testing11 was completed for all\n28 operational NRC information systems and for the 3 contractor systems for which NRC has\ndirect oversight. The agency also received notification from the Federal agencies responsible for\neight additional contractor systems that contingency plan testing was completed in FY 2008 for\nthose systems.\n\n\n\n11\n     Any testing performed between September 1, 2007, and the completion of fieldwork would be considered as FY\n     2008 test results.\n\n\n                                                         7\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n3.3      Evaluation of Agency Oversight of Contractor Systems (Question 3a)\n\n                                  OMB Requirement                                               OIG Response\n 3.a. The agency performs oversight and evaluation to ensure                                Almost Always (96-\n information systems used or operated by a contractor of the agency or                      100% of the time)\n other organization on behalf of the agency meet the requirements of\n FISMA, OMB policy and NIST guidelines, national security policy, and\n agency policy.\n\nOversight of Contractor Systems \xe2\x80\x93 Background\n\nFISMA requires agencies to provide information security protections commensurate with the risk\nand magnitude of harm resulting from unauthorized access, use, disclosure, disruption,\nmodification, or destruction of (1) information collected or maintained by or on behalf of the\nagency or (2) information systems used or operated by an agency or by a contractor of an agency\nor other organization on behalf of an agency.12\n\nNRC defines two types of systems that are operated by a contractor or other organization on\nbehalf of NRC \xe2\x80\x93 e-Government systems and contractor systems. An e-Government system is a\nsystem that processes NRC information and is operated and maintained by another Federal\nagency, and a contractor system is a system that processes NRC information and is operated and\nmaintained by a contractor. NRC requires all e-Government and contractor systems to be\ncertified and accredited prior to processing any sensitive NRC information or connecting to the\nNRC infrastructure, and for contractor systems, also requires the same annual security\nrequirements and recertification and re-accreditation requirements as NRC systems.\n\nNRC has a total of 11 systems operated by a contractor or other organization on behalf of the\nagency. Of the 11, 8 are considered e-Government systems and 3 are considered contractor\nsystems. NRC has direct oversight of the three contractor systems. Oversight of the eight\ne-Government systems is the responsibility of the Federal agencies operating the systems.\n\nAgency Oversight of Contractor Systems Meets FISMA Requirements\n\nIn previous FISMA independent evaluations, Carson Associates found that oversight of\ncontractor systems was lacking. In FY 2007, of the four contractor systems for which NRC has\ndirect oversight,13 only one had a current certification and accreditation and met all NRC\nrequirements for contractor systems.\n\nAs of the completion of fieldwork for FY 2008, two of the three contractor systems for which\nNRC has direct oversight had a current certification and accreditation. All three had their\n\n\n12\n    Information systems used or operated by a contractor of an agency or other organization on behalf of the agency\n   refers to information systems that the agency considers to be either major applications or general support systems.\n13\n    NRC removed one of the four contractor systems for which they have direct oversight from its inventory. This\n   system was consolidated into the local area network/wide area network general support system and is no longer\n   reported as a separate system.\n\n\n                                                           8\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nsecurity controls tested and reviewed in the past year and had completed annual contingency plan\ntesting.\n\nAgency Continues To Have Difficulty in Obtaining Documentation That Demonstrates\ne-Government Systems Meet FISMA Requirements\n\nIn previous FISMA independent evaluations, Carson Associates found that the agency was not\nmaintaining documentation that demonstrates e-Government systems meet FISMA requirements.\nThe agency has been working with the offices to assist in acquiring the required documentation\nfor e-Government; however, according to the agency, some of the other Federal agencies have\nbeen unwilling to provide documentation that demonstrates their systems meet FISMA\nrequirements.\n\nThe agency continues to have difficulty in obtaining documentation that demonstrates\ne-Government systems meet FISMA requirements. The following is a summary of the status of\ndocumentation for e-Government systems in use at NRC.\n\n   \xe2\x80\xa2   The agency has received documentation from the Federal agencies responsible for six\n       e-Government systems stating that those systems have a current certification and\n       accreditation. One Federal agency has not responded regarding the certification and\n       accreditation status of its system, and one Federal agency system has an expired\n       certification and accreditation.\n   \xe2\x80\xa2   The agency has received documentation from the Federal agencies responsible for four\n       e-Government systems stating that those systems have had their security controls tested\n       and reviewed in the past year. Two Federal agencies have not responded regarding the\n       annual security control testing for the three systems for which they are responsible, and\n       one Federal agency system is currently undergoing a recertification and re-accreditation,\n       but a new authorization to operate has not been issued. Subsequent to the completion of\n       fieldwork, the agency received documentation from a Federal agency responsible for two\n       e-Government systems stating those systems have had their security controls tested and\n       reviewed in the past year.\n   \xe2\x80\xa2   The agency has received notification from the Federal agencies responsible for all eight\n       e-Government systems stating that those systems have completed annual contingency\n       plan testing.\n\nIn its fourth quarter FY 2008 FISMA report to OMB, the agency stated that next year it will\nremove the e-Government systems from the NRC inventory of reportable systems. The agency\nwill continue to track e-Government systems in its inventory database, but will not be reporting\nto OMB the status of those systems\xe2\x80\x99 certification and accreditation, annual security control\ntesting, or annual contingency plan testing. This should be the responsibility of the Federal\nagencies that own the systems. Reporting by the agencies that use e-Government systems\nprovided by other Federal agencies is duplicative.\n\n\n\n\n                                                9\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n3.4    Evaluation of Quality of Agency System Inventory (Questions 3b-3f)\n\n                            OMB Requirement                                       OIG Response\n 3.b. The agency has developed a complete inventory of major                Inventory is 96-100%\n information systems (including major national security systems)            complete\n operated by or under the control of such agency, including an\n identification of the interfaces between each such system and all other\n systems or networks, including those not operated by or under the\n control of the agency.\n 3.c. The IG generally agrees with the CIO on the number of agency-         Yes\n owned systems.\n 3.d. The IG generally agrees with the CIO on the number of                 Yes\n information systems used or operated by a contractor of the agency or\n other organization on behalf of the agency.\n 3.e. The agency inventory is maintained and updated at least               Yes\n annually.\n 3.f. If the agency IG does not evaluate the agency\xe2\x80\x99s inventory as 96-      N/A (none missing)\n 100% complete, please identify the known missing systems by\n component/bureau, the UPI associated with the system as presented in\n your FY2008 Exhibit 53 (if known), and indicate if the system is an\n agency or contractor system.\n\nAgency System Inventory \xe2\x80\x93 Background\n\nFISMA requires agencies to develop and maintain an inventory of major information systems\noperated by or under control of the agency. The inventory must include an identification of the\ninterfaces between each such system and all other systems or networks, including those not\noperated by or under the control of the agency. The inventory must be updated at least annually\nand must also be used to support information resources management. MD and Handbook 12.5\nalso requires all interfaces to be included in the inventory, including interfaces with systems or\nnetworks not operated by or under the control of the agency.\n\nTo address findings from previous independent evaluations regarding the agency\xe2\x80\x99s inventory, the\nagency developed an automated inventory system, the NRC System Information Control\nDatabase (NSICD), to house the inventory of automated information systems. The agency\ninventory is maintained and updated at least annually. The agency issues data calls twice a year,\ntypically in January and August. Data call packages include an explanation of the data fields\nfound on the data call inventory sheets and instructions on how to verify and enter the data. The\nagency also developed several procedures and guides to assist NRC offices with the data calls\nand to assist the agency in maintaining the inventory data in the new system.\n\n\n\n\n                                                10\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nFINDING A \xe2\x80\x93 The NRC Inventory Does Not Identify Interfaces Between Systems (New\nFinding)\n\nCarson Associates reviewed security plans for eight systems to identify the interfaces for those\nsystems. Carson Associates then reviewed the records for those systems in NSICD to determine\nif the agency\xe2\x80\x99s inventory included the interfaces identified in the security plans. Despite the fact\nthat the NSICD database schema includes a field for the identification of interfaces between\nsystems, and the data calls include a requirement to identify interfacing systems, Carson\nAssociates found that only one of the eight records reviewed included interface information, and\nthat information was not consistent with the interface information in the system\xe2\x80\x99s security plan.\n\nThe agency has acknowledged that the interface information in the inventory is incomplete and is\ncurrently populating a comment field in the database with interface information. The agency has\nalso stated it is planning to redesign the inventory database schema to ensure interface\ninformation can be adequately captured in the future. While the NRC inventory does not identify\ninterfaces between systems as required by FISMA, interface information is documented in both\nthe security plans and risk assessments for the systems reviewed.\n\nRECOMMENDATIONS\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      1. Update the NRC System Information Control Database to identify all interfaces between\n         systems.\n      2. Develop and implement procedures to ensure interface information in the NRC System\n         Information Control Database is consistent with interface information in security plans\n         and risk assessments.\n\n3.5      Evaluation of Agency POA&M Process (Question 4)\n\n                             OMB Requirement                                      OIG Response\n 4.a. The POA&M is an agencywide process, incorporating all known            Almost Always (96-\n IT security weaknesses associated with information systems used or          100% of the time)\n operated by the agency or by a contractor of the agency or other\n organization on behalf of the agency.\n 4.b. When an IT security weakness is identified, program officials          Almost Always (96-\n (including CIOs, if they own or operate a system) develop, implement,       100% of the time)\n and manage POA&Ms for their system(s).\n 4.c. Program officials and contractors report their progress on             Almost Always (96-\n security weakness remediation to the CIO on a regular basis (at least       100% of the time)\n quarterly).\n 4.d. Agency CIO centrally tracks, maintains, and reviews POA&M              Almost Always (96-\n activities on at least a quarterly basis.                                   100% of the time)\n\n\n\n\n                                                 11\n\x0c                                                                                        Independent Evaluation of\n                                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n                                 OMB Requirement                                           OIG Response\n 4.e. IG findings are incorporated into the POA&M process.                            Almost Always (96-\n                                                                                      100% of the time)\n 4.f. POA&M process prioritizes IT security weaknesses to help ensure Almost Always (96-\n significant IT security weaknesses are addressed in a timely manner  100% of the time)\n and receive appropriate resources.\n\nAgency POA&M Process \xe2\x80\x93 Background\n\nFISMA requires agencies to develop, document, and implement an agencywide information\nsecurity program that includes a process for planning, implementing, evaluating, and\ndocumenting remedial action to address any deficiencies in the information security policies,\nprocedures, and practices of the agency. MD and Handbook 12.5 requires system\nowners/sponsors to ensure that a POA&M is developed, implemented, and maintained to track\nthe major weaknesses that have been identified for office-sponsored information systems. Each\noffice shall regularly update the CIO on its progress in correcting system weaknesses to enable\nthe CIO to provide the agency\xe2\x80\x99s quarterly FISMA update report to OMB.\n\nNRC has two primary tools for tracking IT security weaknesses associated with information\nsystems used or operated by the agency or by a contractor of the agency or other organization on\nbehalf of the agency. At a high level, NRC uses the POA&Ms required by OMB to track (1)\ncorrective actions from the OIG annual independent evaluation, (2) corrective actions from the\nagency\xe2\x80\x99s annual review, and (3) recurring FISMA and IT security action items, such as annual\nsecurity control assessments and annual contingency plan testing. The POA&Ms may also\ninclude corrective actions resulting from other security studies conducted by or on behalf of\nNRC.\n\nThe more specific corrective actions associated with the certification and accreditation process\n(e.g., corrective actions resulting from risk assessments and security control testing) are tracked\nin Rational\xc2\xae ClearQuest\xc2\xae14 as change requests using the project management methodology\nprocess for change management. All certification and accreditation corrective actions arising\nfrom the security control testing process and from vulnerability scans are imported into Rational\nClearQuest. A corrective action plan is generated directly from Rational ClearQuest. System\nowners are responsible for remediation of each corrective action within the timeframes specified\nin the corrective action plan using the project management methodology process for change\nrequests.\n\nThe agency has developed a process for requesting quarterly POA&M updates from system\nowners, compiling the data into a consolidated source, reviewing it for accuracy, rolling up the\ninformation, and reporting it to OMB. Five weeks prior to the quarterly submittal to OMB, the\nagency sends out a data call to the offices asking them to update the current POA&Ms for their\nsystems and add new weaknesses to the POA&Ms. Three weeks prior to the quarterly submittal\nto OMB, the agency receives the updated POA&M data from the system owners and enters the\ndata into NSICD. The agency also adds any new weaknesses identified from various sources\n\n14\n     Rational ClearQuest is an IBM software package used for software change management.\n\n\n                                                        12\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nincluding OIS recommendations and system certification artifacts. The agency provides\ninstructions on providing the quarterly updates to the POA&M and specifies that data in only\nfour fields on the POA&M should be changed: resources, brief description of work/services\nrequired, changes to milestones, and status.\n\nThe FY 2007 FISMA independent evaluation found that the quality of the agency\xe2\x80\x99s POA&Ms\nneeds improvement. Specifically, Carson Associates found that (1) the metrics submitted to\nOMB often deviated from the actual POA&Ms, and (2) the agency is not always following OMB\nand internal NRC POA&M guidance. The FY 2007 FISMA independent evaluation also found\nthat the agency had made minimal progress in correcting weaknesses reported on its POA&Ms.\n\nFINDING B \xe2\x80\x93 The Quality of the Agency\xe2\x80\x99s POA&Ms Still Needs Improvement (Repeat\nFinding)\n\nAs in previous independent evaluations, Carson Associates found that the quality of the agency\xe2\x80\x99s\nPOA&Ms still needs improvement. In assessing the agency\xe2\x80\x99s POA&M process, Carson\nAssociates found that (1) the metrics submitted to OMB often deviated from the actual\nPOA&Ms, and (2) the agency is not always following OMB and internal NRC POA&M\nguidance. Carson Associates also found that the agency is closing weaknesses without sufficient\nevidence from the system owner. The agency is currently in the process of implementing quality\nassurance procedures for POA&Ms.\n\nMetrics Submitted to OMB Deviate From the Actual POA&Ms\n\nAs in previous independent evaluations, Carson Associates found discrepancies between the\nmetrics submitted to OMB and the actual POA&Ms. The most common errors causing the\ndiscrepancies are:\n\n   \xe2\x80\xa2   Counting weaknesses as closed in more than one quarter.\n   \xe2\x80\xa2   Counting weaknesses as closed when they have not been closed by the OIG.\n   \xe2\x80\xa2   Not counting weaknesses as closed when they have been closed by the OIG prior to the\n       cutoff date for POA&M reporting.\n   \xe2\x80\xa2   Reporting weaknesses as on track when they are actually delayed.\n   \xe2\x80\xa2   Reporting weaknesses as delayed when they are still on track.\n\nThe Agency Is Not Always Following OMB and NRC Internal POA&M Guidance\n\nAs in previous FISMA evaluations, Carson Associates also found that the agency is not always\nfollowing OMB\xe2\x80\x99s POA&M guidance. The agency is also not following NRC internal POA&M\nguidance. The following are some examples of deviations from OMB and NRC internal\nPOA&M guidance found on the FY 2008 POA&Ms.\n\n\n\n\n                                               13\n\x0c                                                                                     Independent Evaluation of\n                                                                      NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n       \xe2\x80\xa2   Weaknesses with completion dates over a year old are not always removed from the\n           POA&Ms. OMB guidance15 states that weaknesses that are no longer undergoing\n           correction and have been completely mitigated for over a year should no longer be\n           reported in the agency POA&M.\n       \xe2\x80\xa2   Weaknesses with changes made to scheduled completion dates. OMB guidance states\n           that once an agency has completed the initial POA&M, no changes should be made to the\n           scheduled completion date.\n\nThe Agency Is Closing Weaknesses Without Sufficient Evidence from the System Owners\n\nDuring our analysis of weaknesses closed during the first quarter FY 2008, we identified nine\nweaknesses for one system that should not have been closed based on the corrective actions\ndescribed in the POA&M. We examined the documents referenced in the agency\xe2\x80\x99s resolution\nand found that they did not include the information required to close the weaknesses. We\nnotified the agency and the weaknesses were added back to the POA&M in the fourth quarter of\nFY 2008.\n\nAgency Progress in Implementing Quality Assurance Procedures for POA&Ms\n\nIn a memorandum to the OIG, the agency stated it has been working on automating the POA&M\nprocess by using NSICD to store, process, and generate the POA&Ms. Once the migration from\nthe Excel spreadsheet to the automated process is completed, the agency will draft procedures for\nthe new process. The agency has recently acquired the Environmental Protection Agency\xe2\x80\x99s\nFISMA reporting solution, the Automated System Security Evaluation and Remediation\nTracking system, to further automate the POA&M and continuous monitoring processes. The\nagency currently inputs POA&M data into the tool and has started developing a plan to ensure\nquality assurance is included in the POA&M process. The plan includes developing a POA&M\nchecklist, using a contractor to perform independent verification and validation of closed\nPOA&M items, and performing quarterly reviews of system and program level POA&Ms.\n\nNRC Has Made Progress in Correcting Weaknesses Reported on Its POA&Ms\n\nThe agency has made progress in correcting weaknesses reported on its POA&Ms. The agency\nhas corrected over 40 percent of its program and system level weaknesses in FY 2008. This is an\nimprovement over FY 2007, as in FY 2007 the agency had only corrected 35 percent of its\nprogram level weaknesses and just over 23 percent of its system level weaknesses.\n\n\n\n\n15\n     OMB Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management\n     Act.\n\n\n                                                      14\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n3.6    IG Assessment of the Certification and Accreditation Process (Question 5)\n\n                            OMB Requirement                                       OIG Response\n 5.a. The IG rates the overall quality of the agency\xe2\x80\x99s certification and     Satisfactory\n accreditation process as:\n 5.b. The IG\xe2\x80\x99s quality rating included or considered the following\n aspects of the C&A process:\n                                                            Security plan X\n                                                      System impact level X\n                                              System test and evaluation X\n                                                  Security control testing X\n                                                                             No (evaluated at the\n                                                       Incident handling\n                                                                             agency level)\n                                                                             No (evaluated at the\n                                             Security awareness training\n                                                                             agency level)\n                                                Configurations/patching X\n                                                                    Other Risk assessment\n\nThis section reports on Carson Associate\xe2\x80\x99s assessment of the agency\xe2\x80\x99s certification and\naccreditation process in detail. To evaluate the agency\xe2\x80\x99s certification and accreditation process,\nCarson Associates evaluated the certification and accreditation documents for the four systems\nselected for evaluation during the FY 2008 independent evaluation. We reviewed the\ncertification and accreditation process and procedures located on the agency\xe2\x80\x99s project\nmanagement methodology Web site and reviewed accreditation decision memoranda issued by\nthe agency\xe2\x80\x99s authorizing official. We also reviewed the agency\xe2\x80\x99s annual security control testing\nprocess.\n\nWe rated the overall quality of the agency\xe2\x80\x99s certification and accreditation process as satisfactory\nbecause the agency has not completed the certification and accreditation for all agency systems.\nWe did find that the agency has made significant progress in certifying and accrediting its\nsystems, including developing or updating security plans for several systems, and that the\nagency\xe2\x80\x99s certification and accreditation process and the documents completed using the new\nprocedures are consistent with NIST guidance. We also found that the agency has completed\nannual security control testing for all agency systems and for all contractor systems for which\nNRC has direct oversight.\n\nCertification and Accreditation \xe2\x80\x93 Background\n\nThe security certification and accreditation of information systems is integral to an agency\xe2\x80\x99s\ninformation security program and is an important activity that supports the risk management\nprocess required by FISMA. Information systems under development must be certified and\naccredited prior to becoming operational. Operational information systems must be recertified\n\n\n\n                                                 15\n\x0c                                                                                             Independent Evaluation of\n                                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nand re-accredited every 3 years in accordance with Federal policy,16 and whenever there is a\nsignificant change17 to the information system or its operational environment.\n\nThe following diagram18 illustrates the key activities, including certification and accreditation, in\nmanaging enterprise-level risk, i.e., risk resulting from the operation of an information system.\nAs illustrated in the diagram, NIST has developed several standards and guidelines to support the\nmanagement of enterprise risk. NIST SP 800-37, Guide for the Security Certification and\nAccreditation of Federal Information Systems, provides guidelines for certification and\naccreditation.\n\n\n\n\n16\n    OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal\n   Automated Information Resources.\n17\n    Examples of significant changes to an information system that should be reviewed for possible re-accreditation\n   include (1) installation of a new or upgraded operating system, middleware component, or application; (2)\n   modifications to system ports, protocols, or services; (3) installation of a new or upgraded hardware platform or\n   firmware component; and (4) modifications to cryptographic modules or services. Changes in laws, directives,\n   policies, or regulations, while not always directly related to the information system, can also potentially affect the\n   system security and trigger a re-accreditation action.\n18\n    The diagram was adapted from a diagram found in the NIST presentation \xe2\x80\x9cBuilding More Secure Information\n   Systems: A Strategy for Effectively Applying the Provisions of FISMA,\xe2\x80\x9d dated July 29, 2005\n   (http://csrc.nist.gov/sec-cert/PPT/fisma-overview-July29-2005.ppt).\n\n\n                                                            16\n\x0c                                                                                        Independent Evaluation of\n                                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nSecurity certification is a comprehensive assessment of the management, operational, and\ntechnical security controls19 that are planned or in place in an information system to determine\nthe extent to which the controls are (1) implemented correctly, (2) operating as intended, and (3)\nproducing the desired outcome with respect to meeting the security requirements for the\ninformation system. The results of a security certification are used to reassess the risks and\nupdate the system security plan, thus providing the factual basis for an authorizing official20 to\nrender a security accreditation decision. Security certification can include a variety of\nassessment methods (e.g., interviewing, inspecting, studying, testing, demonstrating, and\nanalyzing) and associated assessment procedures depending on the depth and breadth of\nassessment required by the agency.\n\nSecurity accreditation is the official management decision given by a senior agency official to\n(1) authorize operation of an information system and (2) explicitly accept the risk to agency\noperations, agency assets, or individuals based on the implementation of an agreed-upon set of\nsecurity controls. By accrediting an information system, an agency official accepts responsibility\nfor the information system\xe2\x80\x99s security.\n\nThere are three types of accreditation decisions that can be rendered by authorizing officials: (1)\nauthorization to operate, (2) interim authorization to operate (IATO), and (3) denial of\nauthorization to operate.\n\n     \xe2\x80\xa2   Authorization to Operate \xe2\x80\x93 issued if, after assessing the results of the security\n         certification, the authorizing official deems that the risk to agency operations, agency\n         assets, or individuals is acceptable.\n     \xe2\x80\xa2   Interim Authorization to Operate \xe2\x80\x93 issued if, after assessing the results of the security\n         certification, the authorizing official deems that the risk to agency operations, agency\n         assets, or individuals is unacceptable, but there is an overarching mission necessity to\n         place the information system into operation or continue its operation. An IATO is\n         rendered when the security vulnerabilities identified in the information system (resulting\n         from deficiencies in the planned or implemented security controls) are significant but can\n         be addressed in a timely manner. An IATO provides a limited authorization to operate\n         the information system under specific terms and conditions and acknowledges greater\n         risk to the agency for a specified period of time. In accordance with OMB policy, an\n         information system is not accredited during the period of limited authorization to operate.\n         The duration established for an IATO should be commensurate with the risk to agency\n         operations, agency assets, or individuals associated with the operation of the information\n         system. When the security-related deficiencies have been adequately addressed, the\n         IATO should be lifted and the information system authorized to operate.\n\n\n\n19\n   Management controls are the safeguards or countermeasures that focus on the management of risk and the\n   management of information system security. Operational controls are the safeguards or countermeasures that\n   primarily are implemented and executed by people (as opposed to systems). Technical controls are the safeguards\n   or countermeasures that are primarily implemented and executed by the information system through mechanisms\n   contained in the hardware, software, or firmware components of the system.\n20\n   The agency refers to the authorizing official as the designated approving authority.\n\n\n                                                        17\n\x0c                                                                                          Independent Evaluation of\n                                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n       \xe2\x80\xa2   Denial of Authorization to Operate \xe2\x80\x93 issued if, after assessing the results of the security\n           certification, the authorizing official deems that the risk to agency operations, agency\n           assets, or individuals is unacceptable. The information system is not accredited and\n           should not be placed into operation. If the information system is currently operational, all\n           activity should be halted.\n\nTo correct weaknesses identified by the FY 2005 and FY 2006 FISMA independent evaluations,\nthe agency implemented a new certification and accreditation process and developed templates\nfor all certification and accreditation documents, as well as instructions for completing the\ntemplates. The new certification and accreditation process was also integrated into the agency\xe2\x80\x99s\nproject management methodology.\n\nNRC Has Made Significant Progress in Certifying and Accrediting Its Systems\n\nThe FY 2005, FY 2006, and FY 2007 FISMA independent evaluations found that the majority of\nNRC information systems were not certified and accredited. The lack of certification and\naccreditations for the majority of the agency\xe2\x80\x99s systems was reported as a significant deficiency in\nthe FY 2006 and FY 2007 FISMA independent evaluation reports. In FY 2007, only 2 of the 30\noperational NRC information systems had a current certification and accreditation, and only 4 of\nthe 11 systems used or operated by a contractor or other organization on behalf of the agency had\na current certification and accreditation. As of the completion of fieldwork for FY 2008, 14 of\nthe 28 most risk significant operational NRC information systems and 8 of the 11 systems used\nor operated by a contractor or other organization on behalf of the agency had a current\ncertification and accreditation.\n\nNRC Has Completed or Updated Security Plans for 14 of the Agency\xe2\x80\x99s 28 Operational\nSystems and for All Contractor Systems for Which NRC Has Direct Oversight\n\nAs of the completion of fieldwork for FY 2008, 14 agency systems and the 3 contractor systems\nfor which NRC has direct oversight had new or updated security plans.21\n\nThe Agency\xe2\x80\x99s Certification and Accreditation Process and the Documents Completed\nUsing the New Procedures are Consistent with NIST Guidance\n\nThe FY 2007 independent evaluation found that the agency\xe2\x80\x99s new certification and accreditation\nprocess was inconsistent with NIST guidance \xe2\x80\x93 specifically that certification and accreditation\ndocuments completed using the new procedures are inconsistent with NIST guidance. In a\nmemorandum to the OIG, the agency stated it is creating checklists to ensure the quality of\ncertification and accreditation documents. The checklist for security categorizations was\ncompleted and issued to the agency in August 2007. The agency also stated it is in the process of\ndeveloping evaluation criteria checklists for three additional documents. The agency will\ncontinue to develop evaluation checklists and distribute them to all system owners and certifying\nagents. NRC is also currently soliciting feedback from certifying agents and system owners on\n\n\n21\n     The Federal agencies responsible for the eight e-Government systems would be responsible for updating those\n     security plans.\n\n\n                                                          18\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nthe checklist developed to date. NRC plans to use contract support for reviewing and providing\nfeedback on documents and packages to system owners.\n\nCarson Associates evaluated the certification and accreditation documents for the four systems\nselected for evaluation during the FY 2008 independent evaluation and found that the documents\ncompleted using the new procedures are consistent with NIST guidelines.\n\nAnnual Security Control Testing and Continuous Monitoring \xe2\x80\x93 Background\n\nFISMA requires agencies to develop, document, and implement an agencywide information\nsecurity program that includes periodic testing and evaluation of the effectiveness of information\nsecurity policies, procedures, and practices, to be performed with a frequency depending on risk,\nbut no less than annually. Such testing shall include testing of management, operational, and\ntechnical controls of every information system identified in the inventory required by FISMA.\n\nSecurity assessments are conducted to determine the extent to which the controls are\nimplemented correctly, operating as intended, and producing the desired outcome with respect to\nmeeting the security requirements for the system. To satisfy the annual FISMA assessment\nrequirement, organizations can draw upon the security control assessment results from any of the\nfollowing sources, including but not limited to: (1) security certifications conducted as part of an\ninformation system accreditation or reaccreditation process, (2) continuous monitoring activities,\nor (3) testing and evaluation of the information system as part of the ongoing system\ndevelopment life cycle process (provided that the testing and evaluation results are current and\nrelevant to the determination of security control effectiveness). Existing security assessment\nresults are reused to the extent that they are still valid and are supplemented with additional\nassessments as needed. OMB does not require an annual assessment of all security controls\nemployed in an organizational information system. In accordance with OMB policy,\norganizations must annually assess a subset of the security controls based on: (1) the FIPS 199\nsecurity categorization of the information system, (2) the specific security controls selected and\nemployed by the organization to protect the information system, and (3) the level of assurance\n(or confidence) that the organization must have in determining the effectiveness of the security\ncontrols in the information system. It is expected that the organization will assess all of the\nsecurity controls in the information system during the 3-year accreditation cycle. The\norganization can use the current year\xe2\x80\x99s assessment results obtained during security certification\nto meet the annual FISMA assessment requirement.\n\nThe FY 2007 FISMA guidance stated that for FY 2007 and beyond agencies are required to use\nFIPS 200, Minimum Security Requirements for Federal Information and Information Systems,\nand NIST SP 800-53, Recommended Security Controls for Federal Information Systems, for the\nspecification of security controls, and NIST SP 800-37 and SP 800-53A, Guide for Assessing the\nSecurity Controls in Federal Information Systems, for the assessment of security control\neffectiveness. The FY 2008 FISMA guidance reiterated this requirement.\n\nThe FY 2007 independent evaluation found that the agency did not follow OMB and NIST\nguidance when conducting its annual security control assessments (formerly referred to as self-\nassessments). In May 2008, the agency issued a task order for completing annual security\ncontrol testing for FY 2008. The statement of work specified which agency systems require\n\n\n                                                 19\n\x0c                                                                                 Independent Evaluation of\n                                                                  NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nannual security control testing and which do not. Agency systems that were authorized to\noperate within the past fiscal year have already had their security controls tested and, therefore,\ndo not require additional annual security control testing. Agency systems that are currently\nundergoing a certification and accreditation also do not require additional annual security control\ntesting. A total of 14 agency systems were identified for annual security control testing.\n\nThe contractor selected to perform the annual security control testing worked with the agency to\ndevelop selection criteria for determining which security controls would be tested in FY 2008.\nThe CSO identified a set of 48 core controls to be evaluated for each system specified in the\nstatement of work. Systems scheduled for annual security control testing that are currently\noperating under an authorization to operate were required to have an additional one-third of the\nremaining controls selected for evaluation. The additional controls for these systems were\nselected based on POA&M items resolved in the previous 12 months (or time period following\nauthorization to operate), with additional controls selected from the Access Control,\nConfiguration Management, Contingency Planning, Incident Response, System Maintenance,\nand System and Services Acquisition control families and/or specific controls deemed necessary\nby the assessor based on the sensitivity level of the system. For each system scheduled for\ntesting, the contractor prepared an annual security control test plan and a report.\n\nNRC Has Completed Annual Security Control Testing for All Agency Systems and for All\nContractor Systems for Which NRC Has Direct Oversight\n\nAs of the completion of fieldwork for FY 2008, annual security control testing was completed\nfor all 14 agency systems identified for annual security control testing. The report for one\nsystem is still a draft, but a final report is expected to be issued before the end of the fiscal year.\nIn addition, the security test and evaluations for the three agency systems currently undergoing a\ncertification and accreditation have also been completed. The security test and evaluation reports\nfor those systems are also drafts, but finals are also expected to be issued before the end of the\nfiscal year.\n\nAnnual security control testing is also required for any contractor systems for which NRC has\ndirect oversight. Annual security control testing for e-Government systems is the responsibility\nof the Federal agencies that operate those systems. NRC has direct oversight of three contractor\nsystems. One contractor system was authorized to operate in FY 2008 and, therefore, did not\nrequire additional annual security control testing. Annual security control testing was completed\nfor the other two contractor systems for which NRC has direct oversight.\n\nFor the eight e-Government systems in use at NRC, NRC policy is to confirm with the owner\nagencies that annual security control testing has been completed. The agency has received\ndocumentation from the Federal agencies responsible for four e-Government systems stating that\nthose systems had their security controls tested and reviewed in the past year. Two Federal\nagencies have not responded regarding the annual security control testing for the three systems\nfor which they are responsible, and one Federal agency system is currently undergoing a\nrecertification and re-accreditation, but a new authorization to operate has not been issued.\nSubsequent to the completion of fieldwork, the agency received documentation from a Federal\nagency responsible for two e-Government systems stating those systems have had their security\ncontrols tested and reviewed in the past year.\n\n\n                                                  20\n\x0c                                                                                             Independent Evaluation of\n                                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n\n\n3.7         IG Assessment of Agency Privacy Program and Privacy Impact\n            Assessment (PIA) Process (Questions 6-7)\n\n3.7.1 Privacy Impact Assessment Process\n\n                                    OMB Requirement                                              OIG Response\n 6. Provide a qualitative assessment of the agency\xe2\x80\x99s Privacy Impact                          Excellent\n Assessment (PIA) process, including adherence to existing policy,\n guidance, and standards.\n\nCarson Associates evaluated the agency\xe2\x80\x99s PIA process against the questions from the PIA and\nWeb Privacy Policies and Processes section of the OMB Reporting Template for Senior Agency\nOfficials for Privacy.\n\n6.a.        Does the agency have a written policy or process for determining whether a PIA is\n            needed?\n\nMD and Handbook 3.2, Privacy Act, requires office directors and regional administrators to\nensure that PIAs are prepared and submitted to OIS before developing or procuring IT that\ncollects, maintains, or disseminates personal information about individuals or when initiating a\nnew electronic collection of personal information in identifiable form22 from 10 or more persons.\nIn accordance with the agency\xe2\x80\x99s project management methodology, a PIA is required for all\ninvestments at the inception phase of the development life cycle. PIAs are also part of the\nagency\xe2\x80\x99s certification and accreditation process. ISS-01-001, Revision 0, PIA Procedures, dated\nAugust 30, 2006, requires a PIA (or update of an existing PIA) for each legacy system requiring\nrecertification and re-accreditation.\n\n6.b.        Does the agency have a written policy or process for conducting a PIA?\n\nThe agency has developed procedures (ISS-01-001) and a template for conducting PIAs. The\nprocedures provide a detailed discussion of how to complete a PIA and include guidance on how\nto complete certain questions on the PIA. MD and Handbook 3.2 requires the OIS Business\nProcess Improvement and Applications Division (BPIAD) Director to ensure that PIAs are\nconducted, reviewed, and approved before NRC collects information in an identifiable form or\nbefore developing or procuring IT that collects, maintains, or disseminates such information.\nThe OIS Information and Records Services Division (IRSD) Director is required to ensure that\nPIAs are reviewed to address the applicability of the Privacy Act, the Paperwork Reduction Act\ninformation collections requirements, and records management requirements. Once IRSD has\ncompleted its review and approved a PIA, IRSD is responsible for declaring the PIA as an\nofficial agency record in the agency\xe2\x80\x99s records management system.\n\n\n\n22\n     Information in identifiable form is information that permits the identity of the individual to whom the information\n     applies to be reasonably inferred directly or indirectly.\n\n\n                                                            21\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n6.c.   Does the agency have a written policy or process for evaluating changes in business\n       process or technology that the PIA indicate as necessary?\n\nPIAs are part of the agency\xe2\x80\x99s project management methodology and certification and\naccreditation process. Any changes in business process or technology indicated by a PIA would\nbe handled in accordance with these processes.\n\n6.d.   Does the agency have a written policy or process for ensuring that system owners and\n       privacy and IT experts participate in conducting the PIA?\n\nOffices/system owners are responsible for preparing a PIA for each IT project/system they\nsponsor and submitting it to OIS for review and approval. The PIA undergoes review several\ntimes during development by privacy and IT experts, including the agency Privacy Program\nOfficer, IRSD privacy and records staff, the computer security team, and the agency\xe2\x80\x99s Senior\nAgency Information Security Officer.\n\n6.e.   Does the agency have a written policy or process for making PIAs available to the public\n       in the required circumstances?\n6.f.   Does the agency have a written policy or process for making PIAs available in other than\n       required circumstances?\n\nPIAs for systems that collect information from or about members of the public are made publicly\navailable and posted on the NRC external Web site, unless making the PIA public would raise\nsecurity concerns or reveal classified (i.e., national security) or sensitive information (e.g.,\npotentially damaging to a national interest, law enforcement effort, or competitive business\ninterest) contained in the assessment. The sponsoring office is responsible for performing the\nreview that determines if the PIA can be made public or not. Should an office wish to post on\nthe external Web site a PIA that does not collect information from or about members of the\npublic, the office must inform the Privacy Program Officer that it has completed a review and\nthat there is nothing in the PIA that would preclude it from being made public. The Privacy\nProgram Officer changes the availability of the document in the agency\xe2\x80\x99s records management\nsystem and has it posted on the agency\xe2\x80\x99s external Web site.\n\n6.g.   Does the agency have a written policy or process for determining continued compliance\n       with stated Web policies?\n\nMD and Handbook 3.14, U.S. Nuclear Regulatory Commission Public Web Site, includes\npolicies and procedures to ensure that (1) operation of the site complies with applicable laws and\nregulations; (2) all content on the public Web site increases public confidence in NRC and makes\nconducting business with NRC more efficient and effective; and (3) the content (i) reflects\nagency policy; (ii) is accurate, current, and easy to find; (iii) is accessible by all site users,\nincluding those with disabilities; (iv) adheres to best practices for Web usability; (v) does not\nunfairly promote one organization or commercial entity over others; and (vi) is published only\nonce and is referenced by links when the same content is related to more than one topic.\n\n\n\n\n                                                22\n\x0c                                                                                          Independent Evaluation of\n                                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nMD and Handbook 3.14 is augmented by additional guidance on the agency\xe2\x80\x99s internal Web site.\nThe additional guidance includes interface requirements for Web-based software applications,\nrequirements and best practices for Government Web managers, and information on who\nparticipates in Web publishing. The agency\xe2\x80\x99s process for publishing content to the agency\xe2\x80\x99s\npublic Web site includes five basic steps: (1) initial authorization of content, (2) screening\ncontent, (3) preparing content, (4) formatting content, and (5) publishing content. During the\nscreening step, the content is checked for Web suitability and includes checks for copyright,\nOMB information collection requirements, persistent cookies, privacy, and sensitivity. The Web\nsite includes numerous instructions and checklists for each step of the publishing process.\n\n6.h.     Does the agency have a written policy or process for requiring machine-readability of\n         public-facing agency Web sites (i.e., use of P3P23)?\n\nMD and Handbook 3.14 discusses the use of P3P. The NRC public Web site contains a\nmachine-readable P3P file that describes for the user\xe2\x80\x99s Web browser how NRC uses information\ncollected through its online forms. It is the responsibility of the sponsor of each NRC subsite24\noutside of the NRC public Web site to ensure that their site complies with the OMB guidance on\nP3P.\n\n3.7.2 Progress in Implementing OMB M-07-16\n\n                                 OMB Requirement                                              OIG Response\n 7. Provide a qualitative assessment of the agency\xe2\x80\x99s progress to date                     Good\n in implementing the provisions of M-07-16, \xe2\x80\x9cSafeguarding Against\n and Responding to the Breach of Personally Identifiable\n Information.\xe2\x80\x9d\n\nIn response to the OMB memorandum M-07-16, NRC has accomplished the following:\n\n     \xe2\x80\xa2   On September 19, 2007, NRC issued the NRC Personally Identifiable Information\n         Breach Policy and the NRC Plan to Eliminate the Unnecessary Collection and Use of\n         Social Security Numbers. NRC employees were notified of these policies via an\n         agencywide announcement on that date. Carson Associates analyzed the breach\n         notification policy and found it is compliant with the requirements outlined in OMB\n         Memorandum M-07-16.\n     \xe2\x80\xa2   A March 2008 memorandum to the agency from the CIO directed staff to review all\n         administrative office files to reduce the unnecessary use of personally identifiable\n         information (PII) and to report back to the privacy program officer that the review had\n         been completed no later than May 30, 2008.\n     \xe2\x80\xa2   In June 2008, the agency issued a revised computer security information protection\n         policy in response to several OMB memoranda regarding the protection of agency\n         sensitive information. The policy provided direction for protection of NRC information\n\n23\n   The Platform for Privacy Preferences Project (P3P) enables Web sites to express their privacy practices in a\n   standard format that can be retrieved automatically and interpreted easily by user agents.\n24\n   The term subsite is used to refer to a collection of Web pages within a larger site.\n\n\n                                                         23\n\x0c                                                                                         Independent Evaluation of\n                                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n         and information systems and will be included in the next revision of MD 12.5. The\n         policy was provided to staff via an NRC Yellow Announcement.25\n     \xe2\x80\xa2   The agency created a PII poster that has been displayed in all agency buildings. Smaller\n         copies of the poster are displayed throughout agency offices. The agency also maintains\n         a PII project Web page that describes the agency\xe2\x80\x99s activities related to the protection of\n         PII. This Web page contains information such as (1) frequently asked questions; (2) how\n         to report inadvertent releases of PII; (3) links to OMB, Office of Personnel Management,\n         and NRC PII policy; (4) information on the agency\xe2\x80\x99s PII task force (e.g., background and\n         charter, membership, and meeting minutes); and (5) information on automated tools\n         available to assist in searching for files that contain PII.\n\nHowever, the agency has not fully implemented the provisions of OMB Memorandum M-07-16.\nNRC has completed all requirements except for the following:\n\n     \xe2\x80\xa2   Agencies must review their current holdings of all PII and ensure, to the maximum extent\n         practicable, such holdings are accurate, relevant, timely, and complete and reduce them to\n         the minimum necessary for the proper performance of a documented agency function.\n         Following the initial review, the agency must develop and make public a schedule by\n         which they will periodically update the review of their holdings. NRC has not made a\n         schedule public or determined the periodicity of a review of all holdings. However, the\n         agency has implemented policy for the annual review of agency shared drives for PII.\n     \xe2\x80\xa2   Agencies must encrypt all data on mobile computers/devices carrying agency data unless\n         the data is determined not sensitive, in writing, by the agency\xe2\x80\x99s Deputy Secretary (or\n         equivalent) or a senior-level official the Deputy Secretary may designate in writing. Only\n         NIST-certified cryptographic modules may be used for encryption.26 NRC has prohibited\n         the removal of PII from agency controlled space, unless the mobile device is encrypted in\n         accordance with NIST standards. Full implementation of the NRC enterprise encryption\n         program is expected by June 30, 2010.\n     \xe2\x80\xa2   Remote access should be allowed only with two-factor authentication where one of the\n         factors is provided by a device separate from the computer gaining access. Currently, the\n         agency requires a digital certificate and a user identifier and password for remote access.\n         However, the certificate is not separate from the computer gaining access. Two-factor\n         authentication has been incorporated into the encryption project that is expected to be\n         completed by June 30, 2010.\n     \xe2\x80\xa2   Agencies are required to ensure all individuals with authorized access to PII and their\n         supervisors sign at least annually a document clearly describing their responsibilities. To\n         ensure that all agency personnel are familiar with their responsibilities to protect sensitive\n         information, including PII, NRC issues regular announcements to all employees. These\n         announcements provide general guidance or address specific issues. Each notice directs\n         agency personnel to an internal Privacy Act Web page, which provides staff access to\n\n25\n    NRC Yellow Announcements (formerly Yellow Announcements) establish new policies, practices, or procedures;\n   introduce changes in policy, senior staff assignments, or organization; or address major agencywide events. These\n   announcements require signature and are retained as permanent records in the agency\xe2\x80\x99s document management\n   system.\n26\n    See NIST\xe2\x80\x99s Website at http://csrc.nist.gov/cryptval/ for a discussion of the certified encryption products.\n\n\n                                                         24\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n           guidance, regulations, procedures, and training in the area of the Privacy Act. However,\n           the agency is still developing a methodology for ensuring individuals with access to PII\n           and their supervisors sign (at least annually) a document clearly describing their\n           responsibilities.\n\n3.8        Configuration Management (Question 8)\n\n3.8.1 Configuration Policy and Common Security Configurations\n\n                                   OMB Requirement                                              OIG Response\n 8.a. Is there an agencywide security configuration policy?                               Yes\n 8.b. Approximate the extent to which applicable systems implement                        Mostly (81-95% of\n common security configurations, including use of common security                         the time)\n configurations available from the National Institute of Standards and\n Technology\xe2\x80\x99s Website at http://checklists.nist.gov.\n\nFISMA requires agencies to develop policies and procedures that ensure compliance with\nminimally acceptable system configuration requirements as determined by the agency. NIST SP\n800-53 requires organizations to: (1) establish mandatory configuration settings for information\ntechnology products employed within the information system, (2) configure the security settings\nof information technology products to the most restrictive mode consistent with operational\nrequirements, (3) document the configuration settings, and (4) enforce the configuration settings\nin all components of the information system.\n\nThe agency has implemented several policies that address security configurations and their\nimplementation. System security screening guidelines were developed to prepare new systems\nfor implementation into the NRC production operating environment. The security screening\nensures that system configurations meet NRC network security requirements. The guidelines\noutline the steps necessary to request and perform the security screening process, provide\nguidance on managing and developing a secure system, and list industry best practices and\nadditional resources.\n\nThe agency has also posted guidance on the NRC internal Web site requiring the use of\nhardening specifications for the different operating systems and software in use at the agency.\nHardening specifications in use at the agency include benchmarks developed by the Center for\nInternet Security (CIS), the Defense Information Systems Agency (DISA) Gold Disk,27 National\nSecurity Agency security configuration guides, and custom hardening specifications developed\nby the agency. The agency requires the use of the most recent version of the specified hardening\nspecifications.\n\n\n\n\n27\n      The DISA Gold Disk is a tool that allows a system administrator to scan a system for vulnerabilities, make\n     appropriate security configuration changes, and apply security patches. The Gold Disk uses an automated process\n     that configures a system in accordance with DISA Security Technical Implementation Guidelines.\n\n\n                                                           25\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nNRC uses PatchLink to keep desktop configurations consistent across NRC. Network Bulletins\nare used to announce agency workstation updates. The announcements describe the nature of the\nupgrade and whether or not a workstation restart is required after the patches are installed.\n\nTo determine the extent to which applicable systems apply common security configurations,\nCarson Associates reviewed the security test and evaluation results for the four systems selected\nfor evaluation in FY 2008. The agency performs a vulnerability assessment during security\ncontrol testing, which includes vulnerability scans, penetration tests, and hardening checks using\nthe following tools:\n\n   \xe2\x80\xa2   Nessus \xe2\x80\x93 A general-purpose scanning tool that provides information on network-based\n       vulnerabilities.\n   \xe2\x80\xa2   DISA Gold Disk \xe2\x80\x93 A Department of Defense tool that tests Windows-based hosts for\n       compliance with the DISA Gold standard, including file and registry access control and\n       auditing settings, running services, installed applications and patches, and user rights.\n   \xe2\x80\xa2   CORE Impact \xe2\x80\x93 A specialized penetration testing tool that provides automated testing of\n       known exploits against detected platforms, protocols, and services.\n   \xe2\x80\xa2   CIS Benchmarks \xe2\x80\x93 NRC-approved security hardening specifications for a variety of\n       platforms and software, prepared by CIS (http://www.cisecurity.org/).\n\nThe results from the vulnerability assessments for the four systems selected for evaluation in FY\n2008 indicate that the systems apply common security configurations 81-95 percent of the time.\n\n3.8.2 Federal Desktop Core Configuration (FDCC)\n\n                           OMB Requirement                                        OIG Response\n 8.c.1. Agency has adopted and implemented FDCC standard                    Yes\n configurations and has documented deviations.\n 8.c.2. New Federal Acquisition Regulation 2007-004 language, which         Yes\n modified \xe2\x80\x9cPart 39\xe2\x80\x94Acquisition of Information Technology,\xe2\x80\x9d is\n included in all contracts related to common security settings.\n 8.c.3. All Windows XP and Vista computing systems have                     No\n implemented the FDCC security setting.\n\nIn March 2007, OMB issued a series of memoranda requiring agencies to develop plans for using\nWindows XP and Vista security configurations develop by NIST, the Department of Defense,\nand the Department of Homeland Security. Plans were to be submitted to OMB by May 1, 2007.\nThe memoranda also require new acquisitions to include the configurations and require IT\nproviders to certify their products operate effectively using the configurations. In June 2007,\nOMB issued a memorandum containing recommended language to use in solicitations to ensure\nnew acquisitions include common configurations and IT providers certify their products operate\neffectively using the configurations. Agencies were required to report to OMB by February 1,\n2008, the number of desktops using Windows XP and Vista and the number of those desktops\nthat have implemented FDCC security settings. Agencies were also required to report to NIST\n\n\n                                                26\n\x0c                                                                                        Independent Evaluation of\n                                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nthe same information, as well as FDCC deviations for each operational environment/system\nrole28 present within the agency.\n\nOn April 27, 2007, the agency submitted its plan for using Windows XP and Vista security\nconfigurations to OMB. The agency\xe2\x80\x99s plan included all agency standard desktops/laptops.29 On\nNovember 9, 2007, the agency issued a memorandum requiring a clause for ensuring new\nacquisitions include common security configurations in all new IT acquisition solicitations,\ncontracts, agreements, purchase orders, delivery orders, and task orders awarded under the\nGeneral Services Administration\xe2\x80\x99s Federal Supply Schedule. The memorandum also provided\ninstructions for incorporating the clause into existing contracts, agreements, purchase orders,\ndelivery orders, and task orders. On February 12, 2008, the agency submitted its FDCC status\nupdate to OMB and reported that the agency has a total of 4,856 managed desktops running\nWindows XP service pack 2, none of which are FDCC compliant. The report to OMB also\nincluded a breakdown of how many FDCC settings the agency does and does not meet. NIST\nhas established two types of FDCC settings: group policy settings and application/registry\nsettings. As of the February 2008 report to OMB, NRC met or exceeded 213 of the 237 group\npolicy settings and met or exceeded 37 of the 62 application/registry settings that apply to the\nNRC environment. On March 31, 2008, the agency submitted its FDCC compliance report to\nNIST. When reporting to NIST, the agency reported only on the number of centrally-managed\ngeneral-purpose desktops and reported a total of 27 deviations from the FDCC settings.\n\nFINDING C \xe2\x80\x93 Not All Windows XP and Vista Systems Have Implemented FDCC Security\nSettings (New Finding)\n\nWhile the agency has adopted and implemented FDCC standard configurations, documented\ndeviations, and included the new Federal Acquisition Regulation language in all contracts related\nto common security settings, Carson Associates found that not all Windows XP and Vista\nsystems have implemented FDCC security settings. The agency\xe2\x80\x99s plan for using Windows XP\nand Vista security configurations included all agency standard desktops/laptops; however, the\nagency only reported to OMB and NIST on the number of centrally managed general purpose\ndesktops connected to the NRC local area network. It is unclear whether the information\nreported to OMB and NIST also included centrally-managed general-purpose laptops, desktops\nand laptops that are not centrally managed, or desktops and laptops used as standalone30 systems.\n\n\n\n\n28\n   NIST defines five operational environment/system roles for the purposes of FDCC reporting: centrally-managed\n   general-purpose desktop, centrally-managed general-purpose laptop, development system, special use system, and\n   other.\n29\n   Standard desktops and laptops only include those leased from a commercial vendor under the agency\xe2\x80\x99s seat\n   management contract. They do not include desktops or laptops owned by the agency.\n30\n   Standalone refers to a desktop or laptop that is not configured for connectivity to the NRC local area network.\n\n\n                                                        27\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nAccording to a 2005 OIG report on standalone PCs and laptops,31 in 2005 there were\napproximately 117 standalone PCs and laptops that are used to process safeguards32 and/or\nclassified33 information. However, the number of standalone PCs and laptops that do not process\nsafeguards and/or classified information is unknown as these standalone PCs and laptops are not\ntracked in a central location. NRC has not included any standalone systems in its FDCC\nimplementation plans or reports to OMB and NIST.\n\nThe 2005 OIG report found that security controls for standalone PCs and laptops were not\nadequate. The security controls were lacking because users were not given sufficient guidance\non implementing security controls, the agency lacked a mechanism for assigning users\nresponsibility for implementing security controls, and the agency lacked procedures for verifying\nthat all required security controls were being implemented. This finding can be extended to\ninclude the lack of policies and procedures to implement the FDCC security settings. Many of\nthe security controls the OIG found to be lacking are included in the FDCC security settings.\nImplementation of the FDCC security settings would correct many of the security controls found\nto be lacking in the OIG report.\n\nRECOMMENDATIONS\n\n     The Office of the Inspector General recommends that the Executive Director for Operations:\n\n     3. Develop agencywide policy and procedures regarding the implementation and monitoring\n        of Federal Desktop Core Configuration controls for all desktop and laptop computers,\n        including both those that are centrally managed under the agency\xe2\x80\x99s seat management\n        contract and those that are owned by the agency regardless of whether or not they are\n        connected to the agency\xe2\x80\x99s network.\n     4. Develop a process for verifying that all Federal Desktop Core Configuration controls are\n        implemented for all desktop and laptop computers, including both those that are centrally\n        managed under the agency\xe2\x80\x99s seat management contract and those that are owned by the\n        agency regardless of whether or not they are connected to the agency\xe2\x80\x99s network.\n\n\n\n\n31\n    OIG-05-A-18, System Evaluation of Security Controls for Standalone Personal Computers and Laptops,\n   September 22, 2005.\n32\n    Safeguards information is sensitive unclassified information that specifically identifies the (1) detailed security\n   measures of a licensee or an applicant for the physical protection of special nuclear material or (2) security\n   measures for the physical protection and location of certain plant equipment vital to the safety of production or\n   utilization facilities. Protection of this information is required pursuant to Section 147 of the Atomic Energy Act\n   of 1954, as amended.\n33\n    Classified information is information (such as a document or correspondence) that is designated National Security\n   Information, Restricted Data, or Formerly Restricted Data.\n\n\n                                                          28\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n3.9    Incident Reporting (Question 9)\n\n                            OMB Requirement                                        OIG Response\n 9.a. The agency follows documented policies and procedures for              Yes\n identifying and reporting incidents internally.\n 9.b. The agency follows documented policies and procedures for              Yes\n external reporting to US-CERT (http://www.us-cert.gov).\n 9.c. The agency follows documented policies and procedures for              Yes\n reporting to law enforcement.\n\nOn May 2, 2008, the agency issued a revised policy on computer security incident response and\nPII incident response. The policy provides direction for responding to computer security\nincidents affecting the NRC\xe2\x80\x99s systems, networks, and users, as well as PII incidents and will be\nincluded in the next revision of MD 12.5. The revised policy contains time frames for\nresponding to such incidents, based on the criticality of the affected resources and the incident;\nformally establishes a Computer Security Incident Response Team (CSIRT) to respond to such\nincidents; and outlines the CSIRT\xe2\x80\x99s security incident response process. The CSIRT will include\nstaff from the following offices: Computer Security Office, Office of Information Services,\nOffice of Administration, and Office of Nuclear Security and Incident Response.\n\nThe agency has a page on its internal Web site with information on incident response, including\nwhat to do if a user discovers a virus; suspicious e-mail; or the deliberate or inadvertent release\nof sensitive, classified, or safeguards information. The agency has also developed incident\nresponse procedures for Exchange 2007/Outlook 2007 (electronic mail).\n\n3.10   Security Awareness Training (Question 10)\n\n                            OMB Requirement                                        OIG Response\n 10. Has the agency ensured security awareness training of all               Almost Always (96-\n employees, including contractors and those employees with significant       100% of employees)\n IT security responsibilities?\n\nAll new NRC employees (including onsite contractors, interns, and summer hires) are required to\nattend orientation the first day they report for duty. During the orientation, employees are given\na brief presentation, which includes a discussion on appropriate use of information technology\nequipment. In addition, a representative from the Office of the General Counsel presents a\nsession on ethics that includes additional discussions on appropriate use of the Internet.\n\nFor FY 2008, all employees, including contractors, were required to take an online computer\nsecurity awareness self-study course. All NRC employees and support contractors having\nnetwork accounts were required to complete the course. Employees were also required to take\nand complete a quiz before receiving credit for taking the course. According to the agency, 97\npercent of total employees (including contractors) have completed the online computer security\nawareness self-study course and completed the quiz. A score of 70 percent or higher is required\nto receive credit for completion of the course and quiz.\n\n\n                                                 29\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n\n\nAll Information System Security Officers and IT managers are required to take an additional\nonline IT security awareness training course in addition to the required security awareness\ntraining described above. This additional IT security awareness training course must be taken\nevery 3 years. NRC also provides an online IT security awareness course for system\nadministrators. All system administrators must take this training course before assuming their\nduties, and then every 3 years thereafter.\n\nNRC meets the Office of Personnel Management requirement to expose employees to security\nawareness materials at least annually by (1) mandating all NRC staff take annual IT security\nawareness training and by documenting who takes the annual training; (2) using posters, flyers,\nWeb pages, NRC Yellow Announcements, NRC Announcements, and articles/notices in the\nNRC monthly newsletter to keep computer security on everyone\xe2\x80\x99s mind throughout the year; and\n(3) by holding an Annual NRC Security Awareness Day event.\n\nFINDING D \xe2\x80\x93 Agency Still Developing Procedures for Ensuring Employees With\nSignificant IT Security Responsibilities Receive Security Training (Repeat Finding)\n\nWhile the agency meets the FISMA requirement to ensure all employees received IT security\nawareness training, the agency still has not met the requirement to provide specialized training\nfor employees with significant security responsibilities as described in NIST SP 800-16,\nInformation Technology Security Training Requirements: A Role- and Performance-Based\nModel.\n\nOn April 3, 2008, the CISO issued a memorandum asking for support and action to ensure that\nall employees with significant IT security responsibilities are appropriately identified. The\nmemorandum requires recipients of the memorandum to report back to the CISO by July 1,\n2008, on the names of staff within their organization who have an IT security role as part of their\nofficial duties. The memorandum included a spreadsheet that can be used to identify the\nindividuals with these roles and a template for completing the report. The information from the\ndata call is currently being compiled into a database to develop a comprehensive role-based\ntraining plan. In March 2008, the agency contacted the Department of State to request training\nservices under its Information Systems Security Line of Business, Information Assurance Role-\nBased Training Program. In addition to the role-based training the agency expects to be\navailable via the Department of State, the agency provided a Defense in Depth \xe2\x80\x93 Securing\nWindows Server 2003 course to approximately 20 employees in January 2008 and provided role-\nbased training for system owners in August 2008.\n\n\n\n\n                                                30\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n3.11   Collaborative Web Technologies and Peer-to-Peer File Sharing (Question\n       11)\n\n                           OMB Requirement                                       OIG Response\n 11. Does the agency explain policies regarding the use of                 Yes\n collaborative Web technologies and peer-to-peer file sharing in IT\n security awareness training, ethics training, or any other agencywide\n training?\n\nThe IT Security Policies page on the agency\xe2\x80\x99s internal Web site specifically states that the\ninstallation of peer-to-peer (P2P) software on NRC computers is prohibited unless explicitly\napproved by the NRC Designated Approving Authority. The Web page also provides a link to\nP2P frequently asked questions. The FY 2008 online computer security awareness self-study\ncourse briefly discussed some types of collaborative Web technologies such as bulletin boards,\ndiscussion groups, instant messaging, and chat. The online computer security awareness self-\nstudy course also discussed the use of P2P and file-sharing software and reiterated the\nrequirement to get explicit written approval from the NRC Designated Approving Authority\nprior to installing P2P software on NRC computers.\n\n3.12   E-Authentication Risk Assessments (Question 12)\n\n                           OMB Requirement                                       OIG Response\n 12.a. Has the agency identified all e-authentication applications and     No\n validated that the applications have operationally achieved the\n required assurance level in accordance with the NIST Special\n Publication 800-63, \xe2\x80\x9cElectronic Authentication Guidelines?\xe2\x80\x9d\n 12.b. If the response is \xe2\x80\x9cNo,\xe2\x80\x9d then please identify the systems in        See below.\n which the agency has not implemented the e-authentication guidance\n and indicate if the agency has a planned date of remediation.\n\nIn December 2003, OMB issued memorandum M-04-04, E-Authentication Guidance for Federal\nAgencies, which requires agencies to review new and existing electronic transactions to ensure\nthe authentication processes provide the appropriate level of assurance. The FY 2008 FISMA\nguidance from OMB defines an e-authentication application as one that is Web-based, requires\nauthentication, and extends beyond the borders of the agency\xe2\x80\x99s enterprise (e.g., multi-agency,\ngovernmentwide, or used by the public). Based on these criteria, NRC has determined that it\ndoes not have any e-authentication applications. Subsequent to the completion of fieldwork, the\nagency stated it has one e-authentication application in operation and another in development.\n\nCarson Associates reviewed the e-authentication risk assessment and security plan for the\nagency\xe2\x80\x99s one operational e-authentication application and determined that the application has not\noperationally achieved the required assurance level in accordance with NIST SP 800-63,\nElectronic Authentication Guidelines.\n\n\n\n\n                                               31\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              32\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Update the NRC System Information Control Database to identify all interfaces between\n       systems.\n    2. Develop and implement procedures to ensure interface information in the NRC System\n       Information Control Database is consistent with interface information in security plans\n       and risk assessments.\n    3. Develop agencywide policy and procedures regarding the implementation and monitoring\n       of Federal Desktop Core Configuration controls for all desktop and laptop computers,\n       including both those that are centrally managed under the agency\xe2\x80\x99s seat management\n       contract and those that are owned by the agency regardless of whether or not they are\n       connected to the agency\xe2\x80\x99s network.\n    4. Develop a process for verifying that all Federal Desktop Core Configuration controls are\n       implemented for all desktop and laptop computers, including both those that are centrally\n       managed under the agency\xe2\x80\x99s seat management contract and those that are owned by the\n       agency regardless of whether or not they are connected to the agency\xe2\x80\x99s network.\n\n\n\n\n                                               33\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              34\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n5      Agency Comments\n\nAt an exit conference on September 16, 2008, agency officials agreed with the report\xe2\x80\x99s findings\nand recommendations and provided two editorial changes, which the OIG incorporated as\nappropriate. The agency opted not to submit formal comments.\n\n\n\n\n                                               35\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              36\n\x0c                                                                           Independent Evaluation of\n                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nAppendix A.       SCOPE AND METHODOLOGY\n\nCarson Associates performed an independent evaluation of NRC\xe2\x80\x99s Implementation of FISMA\nfor FY 2008. To conduct the independent evaluation, the team met with agency staff responsible\nfor implementing the agency\xe2\x80\x99s information system security program, reviewed certification and\naccreditation documentation for the agency\xe2\x80\x99s operational information systems, and reviewed\nother documentation provided by the agency that demonstrated its implementation of FISMA.\n\nAll analyses were performed in accordance with guidance from the following:\n\n   \xe2\x80\xa2   National Institute of Standards and Technology standards and guidelines.\n   \xe2\x80\xa2   Nuclear Regulatory Commission Management Directive and Handbook 12.5, NRC\n       Automated Information Security Program.\n   \xe2\x80\xa2   NRC Office of the Inspector General audit guidance.\n\nThis work was conducted between April 2008 and August 2008. Any information received from\nthe agency subsequent to the completion of fieldwork was incorporated when possible. The\nwork was conducted by Jane M. Laroussi, CISSP, and Joseph P. Rood, CISSP, CISA, from\nRichard S. Carson and Associates, Inc.\n\n\n\n\n                                              37\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              38\n\x0c                                                                        Independent Evaluation of\n                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\nAppendix B.      FY 2008 OMB FISMA REPORTING TEMPLATE FOR IGs\n\nThis appendix contains the FY 2008 OMB FISMA Reporting Template for IGs (referred to by\nOMB as Section C) that will be included in the agency\xe2\x80\x99s FISMA submission to OMB.\n\n\n\n\n                                            39\n\x0c                                                                                                                       Independent Evaluation of\n                                                                                                        NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n\n                                                Section C - Inspector General: Questions 1 and 2\nAgency Name:          Nuclear Regulatory Commission                                                     Submission date:             September 19, 2008\n                                                            Question 1: FISMA Systems Inventory\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other\norganization on behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS 199\nsystem impact level (high, moderate, low, or not categorized). Extend the worksheet onto subsequent pages if necessary to include all\nComponent/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a\ncontractor of an agency or other organization on behalf of an agency. The total number of systems shall include both agency systems and contractor systems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency;\ntherefore, self reporting by contractors does not meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service\nprovider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n                          Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number\nand percentage of systems which have: a current certification and accreditation, security controls tested and reviewed within the past year, and a\ncontingency plan tested in accordance with policy.\n\n                                                                     Question 1                                                  Question 2\n                                                  a.                     b.                  c.                 a.                    b.                c.\n                                            Agency Systems       Contractor Systems   Total Number of       Number of            Number of          Number of\n                                                                                         Systems         systems certified   systems for which systems for which\n                                                                                       (Agency and        and accredited      security controls contingency plans\n                                                                                        Contractor                            have been tested have been tested\n                                                                                         systems)                              and reviewed in in accordance with\n                                                                                                                                the past year         policy\n\n\n                                                                                                 Total\n                      FIPS 199 System                  Number          Number   Total                     Total   Percent Total   Percent Total   Percent\nBureau Name                                Number              Number                           Number\n                      Impact Level                    Reviewed        Reviewed Number                    Number of Total Number of Total Number of Total\n                                                                                               Reviewed\n                      High                       11          1         1          0       12           1        1   100%        1   100%        1   100%\n                      Moderate                   17          2         9          0       26           2        2   100%        2   100%        2   100%\n                      Low                         0          0         1          1        1           1        1   100%        1   100%        1   100%\n                      Not Categorized             0          0         0          0        0           0\n                      Sub-total                  28          3        11          1       39           4        4   100%        4   100%        4   100%\nComponent/Bureau      High                                                                 0           0\n                      Moderate                                                             0           0\n                      Low                                                                  0           0\n                      Not Categorized                                                      0           0\n                      Sub-total                   0          0         0          0        0           0        0               0               0\nComponent/Bureau      High                                                                 0           0\n                      Moderate                                                             0           0\n                      Low                                                                  0           0\n                      Not Categorized                                                      0           0\n                      Sub-total                   0          0         0          0        0           0        0               0               0\nComponent/Bureau      High                                                                 0           0\n                      Moderate                                                             0           0\n                      Low                                                                  0           0\n                      Not Categorized                                                      0           0\n                      Sub-total                   0          0         0          0        0           0        0               0               0\nComponent/Bureau      High                                                                 0           0\n                      Moderate                                                             0           0\n                      Low                                                                  0           0\n                      Not Categorized                                                      0           0\n                      Sub-total                   0          0         0          0        0           0        0               0               0\nComponent/Bureau      High                                                                 0           0\n                      Moderate                                                             0           0\n                      Low                                                                  0           0\n                      Not Categorized                                                      0           0\n                      Sub-total                   0          0         0          0        0           0        0               0               0\nAgency Totals         High                       11          1         1          0       12           1        1   100%        1   100%        1   100%\n                      Moderate                   17          2         9          0       26           2        2   100%        2   100%        2   100%\n                      Low                         0          0         1          1        1           1        1   100%        1   100%        1   100%\n                      Not Categorized             0          0         0          0        0           0        0               0               0\n                      Total                      28          3        11          1       39           4        4   100%        4   100%        4   100%\n\n\n\n\n                                                                                40\n\x0c                                                                                                              Independent Evaluation of\n                                                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n\n                                             Section C - Inspector General: Question 3\nAgency Name:     Nuclear Regulatory Commission\n               Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory\n\n      3.a.       The agency performs oversight and evaluation to ensure information systems used or operated by\n                 a contractor of the agency or other organization on behalf of the agency meet the requirements of\n                 FISMA, OMB policy and NIST guidelines, national security policy, and agency policy.\n\n                 Agencies are responsible for ensuring the security of information systems used by a contractor of their\n                 agency or other organization on behalf of their agency; therefore, self reporting by contractors does not\n                 meet the requirements of law. Self-reporting by another Federal agency, for example, a Federal service\n                 provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA            Almost Always (96-100%\n                 compliance.                                                                                                   of the time)\n\n                 Response Categories:\n                  - Rarely- for example, approximately 0-50% of the time\n                  - Sometimes- for example, approximately 51-70% of the time\n                  - Frequently- for example, approximately 71-80% of the time\n                  - Mostly- for example, approximately 81-95% of the time\n                  - Almost Always- for example, approximately 96-100% of the time\n\n                 The agency has developed a complete inventory of major information systems (including major\n      3.b.       national security systems) operated by or under the control of such agency, including an\n                 identification of the interfaces between each such system and all other systems or networks,\n                 including those not operated by or under the control of the agency.\n                                                                                                                               Inventory is 96-100%\n                 Response Categories:\n                                                                                                                               complete\n                  - The inventory is approximately 0-50% complete\n                  - The inventory is approximately 51-70% complete\n                  - The inventory is approximately 71-80% complete\n                  - The inventory is approximately 81-95% complete\n                  - The inventory is approximately 96-100% complete\n\n      3.c.       The IG generally agrees with the CIO on the number of agency-owned systems. Yes or No.                                  Yes\n\n                 The IG generally agrees with the CIO on the number of information systems used or operated by a\n      3.d.                                                                                                                               Yes\n                 contractor of the agency or other organization on behalf of the agency. Yes or No.\n\n      3.e.       The agency inventory is maintained and updated at least annually. Yes or No.                                            Yes\n\n                 If the Agency IG does not evaluate the Agency\'s inventory as 96-100% complete, please identify the known missing systems\n      3.f.       by Component/Bureau, the Unique Project Identifier (UPI) associated with the system as presented in your FY2008 Exhibit\n                 53 (if known), and indicate if the system is an agency or contractor system.\n\n                                                                                                   Exhibit 53 Unique Project\n                                                                                                                                 Agency or Contractor\n                              Component/Bureau                            System Name                   Identifier (UPI)\n                                                                                                                                      system?\n                                                                                                     {must be 23-digits}\n\n\n\n\n                                                                       41\n\x0c                                                                                                                          Independent Evaluation of\n                                                                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n                                                  Section C - Inspector General: Questions 4 and 5\nAgency Name:         Nuclear Regulatory Commission\n                                     Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\nAssess whether the agency has developed, implemented, and is managing an agency-wide plan of action and milestones (POA&M) process. Evaluate\nthe degree to which each statement reflects the status in your agency by choosing from the responses provided. If appropriate or necessary, include\ncomments in the area provided.\n\nFor each statement in items 4.a. through 4.f., select the response category that best reflects the agency\'s status.\n\nResponse Categories:\n - Rarely- for example, approximately 0-50% of the time\n - Sometimes- for example, approximately 51-70% of the time\n - Frequently- for example, approximately 71-80% of the time\n - Mostly- for example, approximately 81-95% of the time\n - Almost Always- for example, approximately 96-100% of the time\n                     The POA&M is an agency-wide process, incorporating all known IT security weaknesses associated with information\n                                                                                                                                                Almost Always (96-\n        4.a.         systems used or operated by the agency or by a contractor of the agency or other organization on behalf of the\n                                                                                                                                                100% of the time)\n                     agency.\n                     When an IT security weakness is identified, program officials (including CIOs, if they own or operate a system)            Almost Always (96-\n        4.b.\n                     develop, implement, and manage POA&Ms for their system(s).                                                                 100% of the time)\n                     Program officials and contractors report their progress on security weak ness remediation to the CIO on a regular basis Almost Always (96-\n        4.c.\n                     (at least quarterly).                                                                                                   100% of the time)\n\n                                                                                                                                                Almost Always (96-\n        4.d.         Agency CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.\n                                                                                                                                                100% of the time)\n                                                                                                                                                Almost Always (96-\n        4.e.         IG findings are incorporated into the POA&M process.\n                                                                                                                                                100% of the time)\n                     POA&M process prioritizes IT security weak nesses to help ensure significant IT security weaknesses are addressed in Almost Always (96-\n        4.f.\n                     a timely manner and receive appropriate resources.                                                                   100% of the time)\n                     NRC has two primary tools for tracking IT security weaknesses. At a high level, NRC uses the POA&Ms required by OMB to track (1)\n                     corrective actions from the OIG annual independent evaluation, (2) corrective actions from the agency\xe2\x80\x99s annual review, and (3) recurring\n POA&M process       FISMA and IT security action items such as annual security control assessments and annual contingency plan testing. The POA&Ms may also\n   comments:         include corrective actions resulting from other security studies conducted by or on behalf of NRC. The more specific corrective actions\n                     associated with the certification and accreditation process (e.g., corrective actions resulting from risk assessments and security control testing)\n                     are tracked in Rational ClearQuest as change requests using the project management methodology process for change management.\n\n\n                                       Question 5: IG Assessment of the Certification and Accreditation Process\nProvide a qualitative assessment of the agency\'s certification and accreditation process, including adherence to existing policy, guidance, and\nstandards. Provide narrative comments as appropriate.\n\nAgencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems" (May 2004) for\ncertification and accreditation work initiated after May 2004. This includes use of the FIPS 199, "Standards for Security Categorization of Federal Information and\nInformation Systems" (February 2004) to determine a system impact level, as well as associated NIST document used as guidance for completing risk assessments\nand security plans.\n\n                     The IG rates the overall quality of the Agency\'s certification and accreditation process as:\n\n                     Response Categories:\n                      - Excellent\n        5.a.                                                                                                                                    Satisfactory\n                      - Good\n                      - Satisfactory\n                      - Poor\n                      - Failing\n\n                     The IG\'s quality rating included or considered the following aspects of the             Security plan                                 X\n                     C&A process: (check all that apply)\n                                                                                                             System impact level                           X\n                                                                                                             System test and evaluation                    X\n                                                                                                             Security control testing                      X\n        5.b.\n                                                                                                             Incident handling\n                                                                                                             Security awareness training\n                                                                                                             Configurations/patching                      X\n                                                                                                             Other:                             Risk assessment\n                     Incident handling and security awareness training were evaluated at the agency level.\n   C&A process\n    comments:\n\n\n\n\n                                                                                 42\n\x0c                                                                                                              Independent Evaluation of\n                                                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n                                           Section C - Inspector General: Questions 6, 7, and 8\nAgency Name:   Nuclear Regulatory Commission\n                    Question 6-7: IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process\n\n               Provide a qualitative assessment of the agency\'s Privacy Impact Assessment (PIA) process, as discussed in\n       6\n               Section D Question #5 (SAOP reporting template), including adherence to existing policy, guidance, and\n               standards.\n\n               Response Categories:\n                - Response Categories:                                                                                       Excellent\n                - Excellent\n                - Good\n                - Satisfactory\n                - Poor\n                - Failing\n\n\n\nComments:\n\n\n\n\n       7       Provide a qualitative assessment of the agency\xe2\x80\x99s progress to date in implementing the provisions of M-07-16\n               Safeguarding Against and Responding to the Breach of Personally Identifiable Information.\n\n               Response Categories:\n                - Response Categories:\n                                                                                                                             Good\n                - Excellent\n                - Good\n                - Satisfactory\n                - Poor\n                - Failing\n\n\n\n\nComments:\n\n\n\n                                                        Question 8: Configuration Management\n\n      8.a.     Is there an agency-wide security configuration policy? Yes or No.                                             Yes\nComments:\n\n\n\n               Approximate the extent to which applicable systems implement common security configurations, including\n      8.b.\n               use of common security configurations available from the National Institute of Standards and Technology\xe2\x80\x99s\n                                                                                                                             Mostly (81-95% of the\n               website at http://checklists.nist.gov.\n                                                                                                                             time)\n               Response categories:\n\n               -   Rarely- for example, approximately 0-50% of the time\n               -   Sometimes- for example, approximately 51-70% of the time\n               -   Frequently- for example, approximately 71-80% of the time\n               -   Mostly- for example, approximately 81-95% of the time\n               -   Almost Always- for example, approximately 96-100% of the time\n\n\n      8.c.     Indicate which aspects of Federal Desktop Core Configuration (FDCC) have been implemented as of this report:\n\n\n               c.1. Agency has adopted and implemented FDCC standard configurations and has documented deviations.\n                                                                                                                             Yes\n               Yes or No.\n\n               c.2 New Federal Acquisition Regulation 2007-004 language, which modified "Part 39\xe2\x80\x94Acquisition of\n                                                                                                                             Yes\n               Information Technology", is included in all contracts related to common security settings. Yes or No.\n\n\n               c.3 All Windows XP and VISTA computing systems have implemented the FDCC security settings. Yes or N o. No\n\n\n\n\n                                                                             43\n\x0c                                                                                                                        Independent Evaluation of\n                                                                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2008\n\n\n                                               Section C - Inspector General: Questions 9, 10 and 11\nAgency Name:         Nuclear Regulatory Commission\n                                                                 Question 9: Incident Reporting\n\nIndicate whether or not the agency follows documented policies and procedures for reporting incidents internally, to US-CERT, and to law enforcement.\nIf appropriate or necessary, include comments in the area provided below.\n\n                     The agency follows documented policies and procedures for identifying and reporting incidents internally.\n        9.a.                                                                                                                                  Yes\n                     Yes or No.\n                     The agency follows documented policies and procedures for external reporting to US-CERT. Yes or No.\n        9.b.                                                                                                                                  Yes\n                     (http://www.us-cert.gov)\n\n        9.c.         The agency follows documented policies and procedures for reporting to law enforcement. Yes or No.                       Yes\n\nComments:\n\n\n\n\n                                                           Question 10: Security Awareness Training\nHas the agency ensured security awareness training of all employees, including contractors and those employees with significant\nIT security responsibilities?\n\nResponse Categories:\n                                                                                                                                              Almost Always (96-\n - Rarely- or approximately 0-50% of employees\n                                                                                                                                              100% of employees)\n - Sometimes- or approximately 51-70% of employees\n - Frequently- or approximately 71-80% of employees\n - Mostly- or approximately 81-95% of employees\n - Almost Always- or approximately 96-100% of employees\n                                        Question 11: Collaborative Web Technologies and Peer-to-Peer File Sharing\n\nDoes the agency explain policies regarding the use of collaborative web technologies and peer-to-peer file sharing in IT security\n                                                                                                                                              Yes\nawareness training, ethics training, or any other agency-wide training? Yes or No.\n\n                                                       Question 12: E-Authentication Risk Assessments\n12.a. Has the agency identified all e-authentication applications and validated that the applications have operationally achieved\nthe required assurance level in accordance with the NIST Special Publication 800-63, \xe2\x80\x9cElectronic Authentication Guidelines\xe2\x80\x9d? Yes              No\nor No.\n12.b. If the response is \xe2\x80\x9cNo\xe2\x80\x9d, then please identify the systems in which the agency has not\nimplemented the e-authentication guidance and indicate if the agency has a planned date of                     The agency\xe2\x80\x99s one operational e-authentication\nremediation.                                                                                                   application has not operationally achieved the\n                                                                                                               required assurance level in accordance with NIST\n                                                                                                               SP 800-63, Electronic Authentication Guidelines.\n\n\n\n\n                                                                                44\n\x0c'